| class security |
| class process |
| class system |
| class capability |
| class filesystem |
| class file |
| class dir |
| class fd |
| class lnk_file |
| class chr_file |
| class blk_file |
| class sock_file |
| class fifo_file |
| class socket |
| class tcp_socket |
| class udp_socket |
| class rawip_socket |
| class node |
| class netif |
| class netlink_socket |
| class packet_socket |
| class key_socket |
| class unix_stream_socket |
| class unix_dgram_socket |
| class sem |
| class msg |
| class msgq |
| class shm |
| class ipc |
| class passwd # userspace |
| class drawable # userspace |
| class window # userspace |
| class gc # userspace |
| class font # userspace |
| class colormap # userspace |
| class property # userspace |
| class cursor # userspace |
| class xclient # userspace |
| class xinput # userspace |
| class xserver # userspace |
| class xextension # userspace |
| class pax |
| class netlink_route_socket |
| class netlink_firewall_socket |
| class netlink_tcpdiag_socket |
| class netlink_nflog_socket |
| class netlink_xfrm_socket |
| class netlink_selinux_socket |
| class netlink_audit_socket |
| class netlink_ip6fw_socket |
| class netlink_dnrt_socket |
| class dbus # userspace |
| class nscd # userspace |
| class association |
| class netlink_kobject_uevent_socket |
| sid kernel |
| sid security |
| sid unlabeled |
| sid fs |
| sid file |
| sid file_labels |
| sid init |
| sid any_socket |
| sid port |
| sid netif |
| sid netmsg |
| sid node |
| sid igmp_packet |
| sid icmp_socket |
| sid tcp_socket |
| sid sysctl_modprobe |
| sid sysctl |
| sid sysctl_fs |
| sid sysctl_kernel |
| sid sysctl_net |
| sid sysctl_net_unix |
| sid sysctl_vm |
| sid sysctl_dev |
| sid kmod |
| sid policy |
| sid scmp_packet |
| sid devnull |
| common file |
| { |
| ioctl |
| read |
| write |
| create |
| getattr |
| setattr |
| lock |
| relabelfrom |
| relabelto |
| append |
| unlink |
| link |
| rename |
| execute |
| swapon |
| quotaon |
| mounton |
| } |
| common socket |
| { |
| ioctl |
| read |
| write |
| create |
| getattr |
| setattr |
| lock |
| relabelfrom |
| relabelto |
| append |
| bind |
| connect |
| listen |
| accept |
| getopt |
| setopt |
| shutdown |
| recvfrom |
| sendto |
| recv_msg |
| send_msg |
| name_bind |
| } |
| common ipc |
| { |
| create |
| destroy |
| getattr |
| setattr |
| read |
| write |
| associate |
| unix_read |
| unix_write |
| } |
| class filesystem |
| { |
| mount |
| remount |
| unmount |
| getattr |
| relabelfrom |
| relabelto |
| transition |
| associate |
| quotamod |
| quotaget |
| } |
| class dir |
| inherits file |
| { |
| add_name |
| remove_name |
| reparent |
| search |
| rmdir |
| } |
| class file |
| inherits file |
| { |
| execute_no_trans |
| entrypoint |
| execmod |
| } |
| class lnk_file |
| inherits file |
| class chr_file |
| inherits file |
| { |
| execute_no_trans |
| entrypoint |
| execmod |
| } |
| class blk_file |
| inherits file |
| class sock_file |
| inherits file |
| class fifo_file |
| inherits file |
| class fd |
| { |
| use |
| } |
| class socket |
| inherits socket |
| class tcp_socket |
| inherits socket |
| { |
| connectto |
| newconn |
| acceptfrom |
| node_bind |
| name_connect |
| } |
| class udp_socket |
| inherits socket |
| { |
| node_bind |
| } |
| class rawip_socket |
| inherits socket |
| { |
| node_bind |
| } |
| class node |
| { |
| tcp_recv |
| tcp_send |
| udp_recv |
| udp_send |
| rawip_recv |
| rawip_send |
| enforce_dest |
| } |
| class netif |
| { |
| tcp_recv |
| tcp_send |
| udp_recv |
| udp_send |
| rawip_recv |
| rawip_send |
| } |
| class netlink_socket |
| inherits socket |
| class packet_socket |
| inherits socket |
| class key_socket |
| inherits socket |
| class unix_stream_socket |
| inherits socket |
| { |
| connectto |
| newconn |
| acceptfrom |
| } |
| class unix_dgram_socket |
| inherits socket |
| class process |
| { |
| fork |
| transition |
| sigchld # commonly granted from child to parent |
| sigkill # cannot be caught or ignored |
| sigstop # cannot be caught or ignored |
| signull # for kill(pid, 0) |
| signal # all other signals |
| ptrace |
| getsched |
| setsched |
| getsession |
| getpgid |
| setpgid |
| getcap |
| setcap |
| share |
| getattr |
| setexec |
| setfscreate |
| noatsecure |
| siginh |
| setrlimit |
| rlimitinh |
| dyntransition |
| setcurrent |
| execmem |
| execstack |
| execheap |
| } |
| class ipc |
| inherits ipc |
| class sem |
| inherits ipc |
| class msgq |
| inherits ipc |
| { |
| enqueue |
| } |
| class msg |
| { |
| send |
| receive |
| } |
| class shm |
| inherits ipc |
| { |
| lock |
| } |
| class security |
| { |
| compute_av |
| compute_create |
| compute_member |
| check_context |
| load_policy |
| compute_relabel |
| compute_user |
| setenforce # was avc_toggle in system class |
| setbool |
| setsecparam |
| setcheckreqprot |
| } |
| class system |
| { |
| ipc_info |
| syslog_read |
| syslog_mod |
| syslog_console |
| } |
| class capability |
| { |
| chown |
| dac_override |
| dac_read_search |
| fowner |
| fsetid |
| kill |
| setgid |
| setuid |
| setpcap |
| linux_immutable |
| net_bind_service |
| net_broadcast |
| net_admin |
| net_raw |
| ipc_lock |
| ipc_owner |
| sys_module |
| sys_rawio |
| sys_chroot |
| sys_ptrace |
| sys_pacct |
| sys_admin |
| sys_boot |
| sys_nice |
| sys_resource |
| sys_time |
| sys_tty_config |
| mknod |
| lease |
| audit_write |
| audit_control |
| } |
| class passwd |
| { |
| passwd # change another user passwd |
| chfn # change another user finger info |
| chsh # change another user shell |
| rootok # pam_rootok check (skip auth) |
| crontab # crontab on another user |
| } |
| class drawable |
| { |
| create |
| destroy |
| draw |
| copy |
| getattr |
| } |
| class gc |
| { |
| create |
| free |
| getattr |
| setattr |
| } |
| class window |
| { |
| addchild |
| create |
| destroy |
| map |
| unmap |
| chstack |
| chproplist |
| chprop |
| listprop |
| getattr |
| setattr |
| setfocus |
| move |
| chselection |
| chparent |
| ctrllife |
| enumerate |
| transparent |
| mousemotion |
| clientcomevent |
| inputevent |
| drawevent |
| windowchangeevent |
| windowchangerequest |
| serverchangeevent |
| extensionevent |
| } |
| class font |
| { |
| load |
| free |
| getattr |
| use |
| } |
| class colormap |
| { |
| create |
| free |
| install |
| uninstall |
| list |
| read |
| store |
| getattr |
| setattr |
| } |
| class property |
| { |
| create |
| free |
| read |
| write |
| } |
| class cursor |
| { |
| create |
| createglyph |
| free |
| assign |
| setattr |
| } |
| class xclient |
| { |
| kill |
| } |
| class xinput |
| { |
| lookup |
| getattr |
| setattr |
| setfocus |
| warppointer |
| activegrab |
| passivegrab |
| ungrab |
| bell |
| mousemotion |
| relabelinput |
| } |
| class xserver |
| { |
| screensaver |
| gethostlist |
| sethostlist |
| getfontpath |
| setfontpath |
| getattr |
| grab |
| ungrab |
| } |
| class xextension |
| { |
| query |
| use |
| } |
| class pax |
| { |
| pageexec # Paging based non-executable pages |
| emutramp # Emulate trampolines |
| mprotect # Restrict mprotect() |
| randmmap # Randomize mmap() base |
| randexec # Randomize ET_EXEC base |
| segmexec # Segmentation based non-executable pages |
| } |
| class netlink_route_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| class netlink_firewall_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| class netlink_tcpdiag_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| class netlink_nflog_socket |
| inherits socket |
| class netlink_xfrm_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| class netlink_selinux_socket |
| inherits socket |
| class netlink_audit_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| nlmsg_relay |
| nlmsg_readpriv |
| } |
| class netlink_ip6fw_socket |
| inherits socket |
| { |
| nlmsg_read |
| nlmsg_write |
| } |
| class netlink_dnrt_socket |
| inherits socket |
| class dbus |
| { |
| acquire_svc |
| send_msg |
| } |
| class nscd |
| { |
| getpwd |
| getgrp |
| gethost |
| getstat |
| admin |
| shmempwd |
| shmemgrp |
| shmemhost |
| } |
| class association |
| { |
| sendto |
| recvfrom |
| setcontext |
| } |
| class netlink_kobject_uevent_socket |
| inherits socket |
| sensitivity s0; |
| dominance { s0 } |
| category c0; category c1; category c2; category c3; |
| category c4; category c5; category c6; category c7; |
| category c8; category c9; category c10; category c11; |
| category c12; category c13; category c14; category c15; |
| category c16; category c17; category c18; category c19; |
| category c20; category c21; category c22; category c23; |
| category c24; category c25; category c26; category c27; |
| category c28; category c29; category c30; category c31; |
| category c32; category c33; category c34; category c35; |
| category c36; category c37; category c38; category c39; |
| category c40; category c41; category c42; category c43; |
| category c44; category c45; category c46; category c47; |
| category c48; category c49; category c50; category c51; |
| category c52; category c53; category c54; category c55; |
| category c56; category c57; category c58; category c59; |
| category c60; category c61; category c62; category c63; |
| category c64; category c65; category c66; category c67; |
| category c68; category c69; category c70; category c71; |
| category c72; category c73; category c74; category c75; |
| category c76; category c77; category c78; category c79; |
| category c80; category c81; category c82; category c83; |
| category c84; category c85; category c86; category c87; |
| category c88; category c89; category c90; category c91; |
| category c92; category c93; category c94; category c95; |
| category c96; category c97; category c98; category c99; |
| category c100; category c101; category c102; category c103; |
| category c104; category c105; category c106; category c107; |
| category c108; category c109; category c110; category c111; |
| category c112; category c113; category c114; category c115; |
| category c116; category c117; category c118; category c119; |
| category c120; category c121; category c122; category c123; |
| category c124; category c125; category c126; category c127; |
| category c128; category c129; category c130; category c131; |
| category c132; category c133; category c134; category c135; |
| category c136; category c137; category c138; category c139; |
| category c140; category c141; category c142; category c143; |
| category c144; category c145; category c146; category c147; |
| category c148; category c149; category c150; category c151; |
| category c152; category c153; category c154; category c155; |
| category c156; category c157; category c158; category c159; |
| category c160; category c161; category c162; category c163; |
| category c164; category c165; category c166; category c167; |
| category c168; category c169; category c170; category c171; |
| category c172; category c173; category c174; category c175; |
| category c176; category c177; category c178; category c179; |
| category c180; category c181; category c182; category c183; |
| category c184; category c185; category c186; category c187; |
| category c188; category c189; category c190; category c191; |
| category c192; category c193; category c194; category c195; |
| category c196; category c197; category c198; category c199; |
| category c200; category c201; category c202; category c203; |
| category c204; category c205; category c206; category c207; |
| category c208; category c209; category c210; category c211; |
| category c212; category c213; category c214; category c215; |
| category c216; category c217; category c218; category c219; |
| category c220; category c221; category c222; category c223; |
| category c224; category c225; category c226; category c227; |
| category c228; category c229; category c230; category c231; |
| category c232; category c233; category c234; category c235; |
| category c236; category c237; category c238; category c239; |
| category c240; category c241; category c242; category c243; |
| category c244; category c245; category c246; category c247; |
| category c248; category c249; category c250; category c251; |
| category c252; category c253; category c254; category c255; |
| level s0:c0.c255; |
| mlsconstrain file { write setattr append unlink link rename |
| ioctl lock execute relabelfrom } (h1 dom h2); |
| mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); |
| mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread )); |
| mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } |
| ( h1 dom h2 ); |
| mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } |
| (( h1 dom h2 ) and ( l2 eq h2 )); |
| mlsconstrain process { ptrace } ( h1 dom h2 ); |
| mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or |
| ( t1 == mcskillall ); |
| mlsconstrain xextension query ( t1 == mlsfileread ); |
| attribute netif_type; |
| attribute node_type; |
| attribute port_type; |
| attribute reserved_port_type; |
| attribute device_node; |
| attribute memory_raw_read; |
| attribute memory_raw_write; |
| attribute domain; |
| attribute unconfined_domain_type; |
| attribute set_curr_context; |
| attribute entry_type; |
| attribute privfd; |
| attribute can_change_process_identity; |
| attribute can_change_process_role; |
| attribute can_change_object_identity; |
| attribute can_system_change; |
| attribute process_user_target; |
| attribute cron_source_domain; |
| attribute cron_job_domain; |
| attribute process_uncond_exempt; # add userhelperdomain to this one |
| attribute file_type; |
| attribute lockfile; |
| attribute mountpoint; |
| attribute pidfile; |
| attribute polydir; |
| attribute usercanread; |
| attribute polyparent; |
| attribute polymember; |
| attribute security_file_type; |
| attribute tmpfile; |
| attribute tmpfsfile; |
| attribute filesystem_type; |
| attribute noxattrfs; |
| attribute can_load_kernmodule; |
| attribute can_receive_kernel_messages; |
| attribute kern_unconfined; |
| attribute proc_type; |
| attribute sysctl_type; |
| attribute mcskillall; |
| attribute mlsfileread; |
| attribute mlsfilereadtoclr; |
| attribute mlsfilewrite; |
| attribute mlsfilewritetoclr; |
| attribute mlsfileupgrade; |
| attribute mlsfiledowngrade; |
| attribute mlsnetread; |
| attribute mlsnetreadtoclr; |
| attribute mlsnetwrite; |
| attribute mlsnetwritetoclr; |
| attribute mlsnetupgrade; |
| attribute mlsnetdowngrade; |
| attribute mlsnetrecvall; |
| attribute mlsipcread; |
| attribute mlsipcreadtoclr; |
| attribute mlsipcwrite; |
| attribute mlsipcwritetoclr; |
| attribute mlsprocread; |
| attribute mlsprocreadtoclr; |
| attribute mlsprocwrite; |
| attribute mlsprocwritetoclr; |
| attribute mlsprocsetsl; |
| attribute mlsxwinread; |
| attribute mlsxwinreadtoclr; |
| attribute mlsxwinwrite; |
| attribute mlsxwinwritetoclr; |
| attribute mlsxwinreadproperty; |
| attribute mlsxwinwriteproperty; |
| attribute mlsxwinreadcolormap; |
| attribute mlsxwinwritecolormap; |
| attribute mlsxwinwritexinput; |
| attribute mlstrustedobject; |
| attribute privrangetrans; |
| attribute mlsrangetrans; |
| attribute can_load_policy; |
| attribute can_setenforce; |
| attribute can_setsecparam; |
| attribute ttynode; |
| attribute ptynode; |
| attribute server_ptynode; |
| attribute serial_device; |
| type bin_t; |
| type sbin_t; |
| type ls_exec_t; |
| type shell_exec_t; |
| type chroot_exec_t; |
| type ppp_device_t; |
| type tun_tap_device_t; |
| type port_t, port_type; |
| type reserved_port_t, port_type, reserved_port_type; |
| type afs_bos_port_t, port_type; |
| type afs_fs_port_t, port_type; |
| type afs_ka_port_t, port_type; |
| type afs_pt_port_t, port_type; |
| type afs_vl_port_t, port_type; |
| type amanda_port_t, port_type; |
| type amavisd_recv_port_t, port_type; |
| type amavisd_send_port_t, port_type; |
| type asterisk_port_t, port_type; |
| type auth_port_t, port_type; |
| type bgp_port_t, port_type; |
| type biff_port_t, port_type, reserved_port_type; |
| type clamd_port_t, port_type; |
| type clockspeed_port_t, port_type; |
| type comsat_port_t, port_type; |
| type cvs_port_t, port_type; |
| type dcc_port_t, port_type; |
| type dbskkd_port_t, port_type; |
| type dhcpc_port_t, port_type; |
| type dhcpd_port_t, port_type; |
| type dict_port_t, port_type; |
| type distccd_port_t, port_type; |
| type dns_port_t, port_type; |
| type fingerd_port_t, port_type; |
| type ftp_data_port_t, port_type; |
| type ftp_port_t, port_type; |
| type gatekeeper_port_t, port_type; |
| type giftd_port_t, port_type; |
| type gopher_port_t, port_type; |
| type http_cache_port_t, port_type; |
| type http_port_t, port_type; |
| type howl_port_t, port_type; |
| type hplip_port_t, port_type; |
| type i18n_input_port_t, port_type; |
| type imaze_port_t, port_type; |
| type inetd_child_port_t, port_type; |
| type innd_port_t, port_type; |
| type ipp_port_t, port_type; |
| type ircd_port_t, port_type; |
| type isakmp_port_t, port_type; |
| type jabber_client_port_t, port_type; |
| type jabber_interserver_port_t, port_type; |
| type kerberos_admin_port_t, port_type; |
| type kerberos_master_port_t, port_type; |
| type kerberos_port_t, port_type; |
| type ktalkd_port_t, port_type; |
| type ldap_port_t, port_type; |
| type lrrd_port_t, port_type; |
| type mail_port_t, port_type; |
| type monopd_port_t, port_type; |
| type mysqld_port_t, port_type; |
| type nessus_port_t, port_type; |
| type nmbd_port_t, port_type; |
| type ntp_port_t, port_type; |
| type openvpn_port_t, port_type; |
| type pegasus_http_port_t, port_type; |
| type pegasus_https_port_t, port_type; |
| type pop_port_t, port_type; |
| type portmap_port_t, port_type; |
| type postgresql_port_t, port_type; |
| type postgrey_port_t, port_type; |
| type printer_port_t, port_type; |
| type ptal_port_t, port_type; |
| type pxe_port_t, port_type; |
| type pyzor_port_t, port_type; |
| type radacct_port_t, port_type; |
| type radius_port_t, port_type; |
| type razor_port_t, port_type; |
| type rlogind_port_t, port_type; |
| type rndc_port_t, port_type; |
| type router_port_t, port_type; |
| type rsh_port_t, port_type; |
| type rsync_port_t, port_type; |
| type smbd_port_t, port_type; |
| type smtp_port_t, port_type; |
| type snmp_port_t, port_type; |
| type spamd_port_t, port_type; |
| type ssh_port_t, port_type; |
| type soundd_port_t, port_type; |
| type socks_port_t, port_type; type stunnel_port_t, port_type; |
| type swat_port_t, port_type; |
| type syslogd_port_t, port_type; |
| type telnetd_port_t, port_type; |
| type tftp_port_t, port_type; |
| type transproxy_port_t, port_type; |
| type utcpserver_port_t, port_type; |
| type uucpd_port_t, port_type; |
| type vnc_port_t, port_type; |
| type xserver_port_t, port_type; |
| type xen_port_t, port_type; |
| type zebra_port_t, port_type; |
| type zope_port_t, port_type; |
| type node_t, node_type; |
| type compat_ipv4_node_t alias node_compat_ipv4_t, node_type; |
| type inaddr_any_node_t alias node_inaddr_any_t, node_type; |
| type node_internal_t, node_type; |
| type link_local_node_t alias node_link_local_t, node_type; |
| type lo_node_t alias node_lo_t, node_type; |
| type mapped_ipv4_node_t alias node_mapped_ipv4_t, node_type; |
| type multicast_node_t alias node_multicast_t, node_type; |
| type site_local_node_t alias node_site_local_t, node_type; |
| type unspec_node_t alias node_unspec_t, node_type; |
| type netif_t, netif_type; |
| type device_t; |
| type agp_device_t; |
| type apm_bios_t; |
| type cardmgr_dev_t; |
| type clock_device_t; |
| type cpu_device_t; |
| type crypt_device_t; |
| type dri_device_t; |
| type event_device_t; |
| type framebuf_device_t; |
| type lvm_control_t; |
| type memory_device_t; |
| type misc_device_t; |
| type mouse_device_t; |
| type mtrr_device_t; |
| type null_device_t; |
| type power_device_t; |
| type printer_device_t; |
| type random_device_t; |
| type scanner_device_t; |
| type sound_device_t; |
| type sysfs_t; |
| type urandom_device_t; |
| type usbfs_t alias usbdevfs_t; |
| type usb_device_t; |
| type v4l_device_t; |
| type xserver_misc_device_t; |
| type zero_device_t; |
| type xconsole_device_t; |
| type devfs_control_t; |
| type boot_t; |
| type default_t, file_type, mountpoint; |
| type etc_t, file_type; |
| type etc_runtime_t, file_type; |
| type file_t, file_type, mountpoint; |
| type home_root_t, file_type, mountpoint; |
| type lost_found_t, file_type; |
| type mnt_t, file_type, mountpoint; |
| type modules_object_t; |
| type no_access_t, file_type; |
| type poly_t, file_type; |
| type readable_t, file_type; |
| type root_t, file_type, mountpoint; |
| type src_t, file_type, mountpoint; |
| type system_map_t; |
| type tmp_t, mountpoint; #, polydir |
| type usr_t, file_type, mountpoint; |
| type var_t, file_type, mountpoint; |
| type var_lib_t, file_type, mountpoint; |
| type var_lock_t, file_type, lockfile; |
| type var_run_t, file_type, pidfile; |
| type var_spool_t; |
| type fs_t; |
| type bdev_t; |
| type binfmt_misc_fs_t; |
| type capifs_t; |
| type configfs_t; |
| type eventpollfs_t; |
| type futexfs_t; |
| type hugetlbfs_t; |
| type inotifyfs_t; |
| type nfsd_fs_t; |
| type ramfs_t; |
| type romfs_t; |
| type rpc_pipefs_t; |
| type tmpfs_t; |
| type autofs_t, noxattrfs; |
| type cifs_t alias sambafs_t, noxattrfs; |
| type dosfs_t, noxattrfs; |
| type iso9660_t, filesystem_type, noxattrfs; |
| type removable_t, noxattrfs; |
| type nfs_t, filesystem_type, noxattrfs; |
| type kernel_t, can_load_kernmodule; |
| type debugfs_t; |
| type proc_t, proc_type; |
| type proc_kmsg_t, proc_type; |
| type proc_kcore_t, proc_type; |
| type proc_mdstat_t, proc_type; |
| type proc_net_t, proc_type; |
| type proc_xen_t, proc_type; |
| type sysctl_t, sysctl_type; |
| type sysctl_irq_t, sysctl_type; |
| type sysctl_rpc_t, sysctl_type; |
| type sysctl_fs_t, sysctl_type; |
| type sysctl_kernel_t, sysctl_type; |
| type sysctl_modprobe_t, sysctl_type; |
| type sysctl_hotplug_t, sysctl_type; |
| type sysctl_net_t, sysctl_type; |
| type sysctl_net_unix_t, sysctl_type; |
| type sysctl_vm_t, sysctl_type; |
| type sysctl_dev_t, sysctl_type; |
| type unlabeled_t; |
| type auditd_exec_t; |
| type crond_exec_t; |
| type cupsd_exec_t; |
| type getty_t; |
| type init_t; |
| type init_exec_t; |
| type initrc_t; |
| type initrc_exec_t; |
| type login_exec_t; |
| type sshd_exec_t; |
| type su_exec_t; |
| type udev_exec_t; |
| type unconfined_t; |
| type xdm_exec_t; |
| type lvm_exec_t; |
| type security_t; |
| type bsdpty_device_t; |
| type console_device_t; |
| type devpts_t; |
| type devtty_t; |
| type ptmx_t; |
| type tty_device_t, serial_device; |
| type usbtty_device_t, serial_device; |
| bool secure_mode false; |
| bool secure_mode_insmod false; |
| bool secure_mode_policyload false; |
| bool allow_cvs_read_shadow false; |
| bool allow_execheap false; |
| bool allow_execmem true; |
| bool allow_execmod false; |
| bool allow_execstack true; |
| bool allow_ftpd_anon_write false; |
| bool allow_gssd_read_tmp true; |
| bool allow_httpd_anon_write false; |
| bool allow_java_execstack false; |
| bool allow_kerberos true; |
| bool allow_rsync_anon_write false; |
| bool allow_saslauthd_read_shadow false; |
| bool allow_smbd_anon_write false; |
| bool allow_ptrace false; |
| bool allow_ypbind false; |
| bool fcron_crond false; |
| bool ftp_home_dir false; |
| bool ftpd_is_daemon true; |
| bool httpd_builtin_scripting true; |
| bool httpd_can_network_connect false; |
| bool httpd_can_network_connect_db false; |
| bool httpd_can_network_relay false; |
| bool httpd_enable_cgi true; |
| bool httpd_enable_ftp_server false; |
| bool httpd_enable_homedirs true; |
| bool httpd_ssi_exec true; |
| bool httpd_tty_comm false; |
| bool httpd_unified true; |
| bool named_write_master_zones false; |
| bool nfs_export_all_rw true; |
| bool nfs_export_all_ro true; |
| bool pppd_can_insmod false; |
| bool read_default_t true; |
| bool run_ssh_inetd false; |
| bool samba_enable_home_dirs false; |
| bool spamassasin_can_network false; |
| bool squid_connect_any false; |
| bool ssh_sysadm_login false; |
| bool stunnel_is_daemon false; |
| bool use_nfs_home_dirs false; |
| bool use_samba_home_dirs false; |
| bool user_ping true; |
| bool spamd_enable_home_dirs true; |
| allow bin_t fs_t:filesystem associate; |
| allow bin_t noxattrfs:filesystem associate; |
| typeattribute bin_t file_type; |
| allow sbin_t fs_t:filesystem associate; |
| allow sbin_t noxattrfs:filesystem associate; |
| typeattribute sbin_t file_type; |
| allow ls_exec_t fs_t:filesystem associate; |
| allow ls_exec_t noxattrfs:filesystem associate; |
| typeattribute ls_exec_t file_type; |
| typeattribute ls_exec_t entry_type; |
| allow shell_exec_t fs_t:filesystem associate; |
| allow shell_exec_t noxattrfs:filesystem associate; |
| typeattribute shell_exec_t file_type; |
| allow chroot_exec_t fs_t:filesystem associate; |
| allow chroot_exec_t noxattrfs:filesystem associate; |
| typeattribute chroot_exec_t file_type; |
| typeattribute ppp_device_t device_node; |
| allow ppp_device_t fs_t:filesystem associate; |
| allow ppp_device_t tmpfs_t:filesystem associate; |
| allow ppp_device_t tmp_t:filesystem associate; |
| typeattribute tun_tap_device_t device_node; |
| allow tun_tap_device_t fs_t:filesystem associate; |
| allow tun_tap_device_t tmpfs_t:filesystem associate; |
| allow tun_tap_device_t tmp_t:filesystem associate; |
| typeattribute auth_port_t reserved_port_type; |
| typeattribute bgp_port_t reserved_port_type; |
| typeattribute bgp_port_t reserved_port_type; |
| typeattribute comsat_port_t reserved_port_type; |
| typeattribute dhcpc_port_t reserved_port_type; |
| typeattribute dhcpd_port_t reserved_port_type; |
| typeattribute dhcpd_port_t reserved_port_type; |
| typeattribute dhcpd_port_t reserved_port_type; |
| typeattribute dhcpd_port_t reserved_port_type; |
| typeattribute dhcpd_port_t reserved_port_type; |
| typeattribute dns_port_t reserved_port_type; |
| typeattribute dns_port_t reserved_port_type; |
| typeattribute fingerd_port_t reserved_port_type; |
| typeattribute ftp_data_port_t reserved_port_type; |
| typeattribute ftp_port_t reserved_port_type; |
| typeattribute gopher_port_t reserved_port_type; |
| typeattribute gopher_port_t reserved_port_type; |
| typeattribute http_port_t reserved_port_type; |
| typeattribute http_port_t reserved_port_type; |
| typeattribute http_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute inetd_child_port_t reserved_port_type; |
| typeattribute innd_port_t reserved_port_type; |
| typeattribute ipp_port_t reserved_port_type; |
| typeattribute ipp_port_t reserved_port_type; |
| typeattribute isakmp_port_t reserved_port_type; |
| typeattribute kerberos_admin_port_t reserved_port_type; |
| typeattribute kerberos_admin_port_t reserved_port_type; |
| typeattribute kerberos_admin_port_t reserved_port_type; |
| typeattribute kerberos_port_t reserved_port_type; |
| typeattribute kerberos_port_t reserved_port_type; |
| typeattribute kerberos_port_t reserved_port_type; |
| typeattribute kerberos_port_t reserved_port_type; |
| typeattribute ktalkd_port_t reserved_port_type; |
| typeattribute ktalkd_port_t reserved_port_type; |
| typeattribute ldap_port_t reserved_port_type; |
| typeattribute ldap_port_t reserved_port_type; |
| typeattribute ldap_port_t reserved_port_type; |
| typeattribute ldap_port_t reserved_port_type; |
| typeattribute nmbd_port_t reserved_port_type; |
| typeattribute nmbd_port_t reserved_port_type; |
| typeattribute nmbd_port_t reserved_port_type; |
| typeattribute ntp_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute pop_port_t reserved_port_type; |
| typeattribute portmap_port_t reserved_port_type; |
| typeattribute portmap_port_t reserved_port_type; |
| typeattribute printer_port_t reserved_port_type; |
| typeattribute rlogind_port_t reserved_port_type; |
| typeattribute rndc_port_t reserved_port_type; |
| typeattribute router_port_t reserved_port_type; |
| typeattribute rsh_port_t reserved_port_type; |
| typeattribute rsync_port_t reserved_port_type; |
| typeattribute rsync_port_t reserved_port_type; |
| typeattribute smbd_port_t reserved_port_type; |
| typeattribute smbd_port_t reserved_port_type; |
| typeattribute smtp_port_t reserved_port_type; |
| typeattribute smtp_port_t reserved_port_type; |
| typeattribute smtp_port_t reserved_port_type; |
| typeattribute snmp_port_t reserved_port_type; |
| typeattribute snmp_port_t reserved_port_type; |
| typeattribute snmp_port_t reserved_port_type; |
| typeattribute spamd_port_t reserved_port_type; |
| typeattribute ssh_port_t reserved_port_type; |
| typeattribute swat_port_t reserved_port_type; |
| typeattribute syslogd_port_t reserved_port_type; |
| typeattribute telnetd_port_t reserved_port_type; |
| typeattribute tftp_port_t reserved_port_type; |
| typeattribute uucpd_port_t reserved_port_type; |
| allow device_t tmpfs_t:filesystem associate; |
| allow device_t fs_t:filesystem associate; |
| allow device_t noxattrfs:filesystem associate; |
| typeattribute device_t file_type; |
| allow device_t fs_t:filesystem associate; |
| allow device_t noxattrfs:filesystem associate; |
| typeattribute device_t file_type; |
| typeattribute device_t mountpoint; |
| allow device_t tmp_t:filesystem associate; |
| typeattribute agp_device_t device_node; |
| allow agp_device_t fs_t:filesystem associate; |
| allow agp_device_t tmpfs_t:filesystem associate; |
| allow agp_device_t tmp_t:filesystem associate; |
| typeattribute apm_bios_t device_node; |
| allow apm_bios_t fs_t:filesystem associate; |
| allow apm_bios_t tmpfs_t:filesystem associate; |
| allow apm_bios_t tmp_t:filesystem associate; |
| typeattribute cardmgr_dev_t device_node; |
| allow cardmgr_dev_t fs_t:filesystem associate; |
| allow cardmgr_dev_t tmpfs_t:filesystem associate; |
| allow cardmgr_dev_t tmp_t:filesystem associate; |
| allow cardmgr_dev_t fs_t:filesystem associate; |
| allow cardmgr_dev_t noxattrfs:filesystem associate; |
| typeattribute cardmgr_dev_t file_type; |
| allow cardmgr_dev_t fs_t:filesystem associate; |
| allow cardmgr_dev_t noxattrfs:filesystem associate; |
| typeattribute cardmgr_dev_t file_type; |
| typeattribute cardmgr_dev_t polymember; |
| allow cardmgr_dev_t tmpfs_t:filesystem associate; |
| typeattribute cardmgr_dev_t tmpfile; |
| allow cardmgr_dev_t tmp_t:filesystem associate; |
| typeattribute clock_device_t device_node; |
| allow clock_device_t fs_t:filesystem associate; |
| allow clock_device_t tmpfs_t:filesystem associate; |
| allow clock_device_t tmp_t:filesystem associate; |
| typeattribute cpu_device_t device_node; |
| allow cpu_device_t fs_t:filesystem associate; |
| allow cpu_device_t tmpfs_t:filesystem associate; |
| allow cpu_device_t tmp_t:filesystem associate; |
| typeattribute crypt_device_t device_node; |
| allow crypt_device_t fs_t:filesystem associate; |
| allow crypt_device_t tmpfs_t:filesystem associate; |
| allow crypt_device_t tmp_t:filesystem associate; |
| typeattribute dri_device_t device_node; |
| allow dri_device_t fs_t:filesystem associate; |
| allow dri_device_t tmpfs_t:filesystem associate; |
| allow dri_device_t tmp_t:filesystem associate; |
| typeattribute event_device_t device_node; |
| allow event_device_t fs_t:filesystem associate; |
| allow event_device_t tmpfs_t:filesystem associate; |
| allow event_device_t tmp_t:filesystem associate; |
| typeattribute framebuf_device_t device_node; |
| allow framebuf_device_t fs_t:filesystem associate; |
| allow framebuf_device_t tmpfs_t:filesystem associate; |
| allow framebuf_device_t tmp_t:filesystem associate; |
| typeattribute lvm_control_t device_node; |
| allow lvm_control_t fs_t:filesystem associate; |
| allow lvm_control_t tmpfs_t:filesystem associate; |
| allow lvm_control_t tmp_t:filesystem associate; |
| typeattribute memory_device_t device_node; |
| allow memory_device_t fs_t:filesystem associate; |
| allow memory_device_t tmpfs_t:filesystem associate; |
| allow memory_device_t tmp_t:filesystem associate; |
| neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; |
| neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; |
| typeattribute misc_device_t device_node; |
| allow misc_device_t fs_t:filesystem associate; |
| allow misc_device_t tmpfs_t:filesystem associate; |
| allow misc_device_t tmp_t:filesystem associate; |
| typeattribute mouse_device_t device_node; |
| allow mouse_device_t fs_t:filesystem associate; |
| allow mouse_device_t tmpfs_t:filesystem associate; |
| allow mouse_device_t tmp_t:filesystem associate; |
| typeattribute mtrr_device_t device_node; |
| allow mtrr_device_t fs_t:filesystem associate; |
| allow mtrr_device_t tmpfs_t:filesystem associate; |
| allow mtrr_device_t tmp_t:filesystem associate; |
| typeattribute null_device_t device_node; |
| allow null_device_t fs_t:filesystem associate; |
| allow null_device_t tmpfs_t:filesystem associate; |
| allow null_device_t tmp_t:filesystem associate; |
| typeattribute null_device_t mlstrustedobject; |
| typeattribute power_device_t device_node; |
| allow power_device_t fs_t:filesystem associate; |
| allow power_device_t tmpfs_t:filesystem associate; |
| allow power_device_t tmp_t:filesystem associate; |
| typeattribute printer_device_t device_node; |
| allow printer_device_t fs_t:filesystem associate; |
| allow printer_device_t tmpfs_t:filesystem associate; |
| allow printer_device_t tmp_t:filesystem associate; |
| typeattribute random_device_t device_node; |
| allow random_device_t fs_t:filesystem associate; |
| allow random_device_t tmpfs_t:filesystem associate; |
| allow random_device_t tmp_t:filesystem associate; |
| typeattribute scanner_device_t device_node; |
| allow scanner_device_t fs_t:filesystem associate; |
| allow scanner_device_t tmpfs_t:filesystem associate; |
| allow scanner_device_t tmp_t:filesystem associate; |
| typeattribute sound_device_t device_node; |
| allow sound_device_t fs_t:filesystem associate; |
| allow sound_device_t tmpfs_t:filesystem associate; |
| allow sound_device_t tmp_t:filesystem associate; |
| allow sysfs_t fs_t:filesystem associate; |
| allow sysfs_t noxattrfs:filesystem associate; |
| typeattribute sysfs_t file_type; |
| typeattribute sysfs_t mountpoint; |
| typeattribute sysfs_t filesystem_type; |
| allow sysfs_t self:filesystem associate; |
| typeattribute urandom_device_t device_node; |
| allow urandom_device_t fs_t:filesystem associate; |
| allow urandom_device_t tmpfs_t:filesystem associate; |
| allow urandom_device_t tmp_t:filesystem associate; |
| allow usbfs_t fs_t:filesystem associate; |
| allow usbfs_t noxattrfs:filesystem associate; |
| typeattribute usbfs_t file_type; |
| typeattribute usbfs_t mountpoint; |
| typeattribute usbfs_t filesystem_type; |
| allow usbfs_t self:filesystem associate; |
| typeattribute usbfs_t noxattrfs; |
| typeattribute usb_device_t device_node; |
| allow usb_device_t fs_t:filesystem associate; |
| allow usb_device_t tmpfs_t:filesystem associate; |
| allow usb_device_t tmp_t:filesystem associate; |
| typeattribute v4l_device_t device_node; |
| allow v4l_device_t fs_t:filesystem associate; |
| allow v4l_device_t tmpfs_t:filesystem associate; |
| allow v4l_device_t tmp_t:filesystem associate; |
| typeattribute xserver_misc_device_t device_node; |
| allow xserver_misc_device_t fs_t:filesystem associate; |
| allow xserver_misc_device_t tmpfs_t:filesystem associate; |
| allow xserver_misc_device_t tmp_t:filesystem associate; |
| typeattribute zero_device_t device_node; |
| allow zero_device_t fs_t:filesystem associate; |
| allow zero_device_t tmpfs_t:filesystem associate; |
| allow zero_device_t tmp_t:filesystem associate; |
| typeattribute zero_device_t mlstrustedobject; |
| allow xconsole_device_t fs_t:filesystem associate; |
| allow xconsole_device_t noxattrfs:filesystem associate; |
| typeattribute xconsole_device_t file_type; |
| allow xconsole_device_t tmpfs_t:filesystem associate; |
| allow xconsole_device_t tmp_t:filesystem associate; |
| typeattribute devfs_control_t device_node; |
| allow devfs_control_t fs_t:filesystem associate; |
| allow devfs_control_t tmpfs_t:filesystem associate; |
| allow devfs_control_t tmp_t:filesystem associate; |
| neverallow domain ~domain:process { transition dyntransition }; |
| neverallow { domain -set_curr_context } self:process setcurrent; |
| neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; |
| neverallow ~{ domain unlabeled_t } *:process *; |
| allow file_type self:filesystem associate; |
| allow boot_t fs_t:filesystem associate; |
| allow boot_t noxattrfs:filesystem associate; |
| typeattribute boot_t file_type; |
| allow boot_t fs_t:filesystem associate; |
| allow boot_t noxattrfs:filesystem associate; |
| typeattribute boot_t file_type; |
| typeattribute boot_t mountpoint; |
| allow default_t fs_t:filesystem associate; |
| allow default_t noxattrfs:filesystem associate; |
| allow etc_t fs_t:filesystem associate; |
| allow etc_t noxattrfs:filesystem associate; |
| allow etc_runtime_t fs_t:filesystem associate; |
| allow etc_runtime_t noxattrfs:filesystem associate; |
| allow file_t fs_t:filesystem associate; |
| allow file_t noxattrfs:filesystem associate; |
| allow kernel_t file_t:dir mounton; |
| allow home_root_t fs_t:filesystem associate; |
| allow home_root_t noxattrfs:filesystem associate; |
| allow home_root_t fs_t:filesystem associate; |
| allow home_root_t noxattrfs:filesystem associate; |
| typeattribute home_root_t file_type; |
| typeattribute home_root_t polyparent; |
| allow lost_found_t fs_t:filesystem associate; |
| allow lost_found_t noxattrfs:filesystem associate; |
| allow mnt_t fs_t:filesystem associate; |
| allow mnt_t noxattrfs:filesystem associate; |
| allow modules_object_t fs_t:filesystem associate; |
| allow modules_object_t noxattrfs:filesystem associate; |
| typeattribute modules_object_t file_type; |
| allow no_access_t fs_t:filesystem associate; |
| allow no_access_t noxattrfs:filesystem associate; |
| allow poly_t fs_t:filesystem associate; |
| allow poly_t noxattrfs:filesystem associate; |
| allow readable_t fs_t:filesystem associate; |
| allow readable_t noxattrfs:filesystem associate; |
| allow root_t fs_t:filesystem associate; |
| allow root_t noxattrfs:filesystem associate; |
| allow root_t fs_t:filesystem associate; |
| allow root_t noxattrfs:filesystem associate; |
| typeattribute root_t file_type; |
| typeattribute root_t polyparent; |
| allow kernel_t root_t:dir mounton; |
| allow src_t fs_t:filesystem associate; |
| allow src_t noxattrfs:filesystem associate; |
| allow system_map_t fs_t:filesystem associate; |
| allow system_map_t noxattrfs:filesystem associate; |
| typeattribute system_map_t file_type; |
| allow tmp_t fs_t:filesystem associate; |
| allow tmp_t noxattrfs:filesystem associate; |
| typeattribute tmp_t file_type; |
| allow tmp_t fs_t:filesystem associate; |
| allow tmp_t noxattrfs:filesystem associate; |
| typeattribute tmp_t file_type; |
| typeattribute tmp_t polymember; |
| allow tmp_t tmpfs_t:filesystem associate; |
| typeattribute tmp_t tmpfile; |
| allow tmp_t tmp_t:filesystem associate; |
| allow tmp_t fs_t:filesystem associate; |
| allow tmp_t noxattrfs:filesystem associate; |
| typeattribute tmp_t file_type; |
| typeattribute tmp_t polyparent; |
| allow usr_t fs_t:filesystem associate; |
| allow usr_t noxattrfs:filesystem associate; |
| allow var_t fs_t:filesystem associate; |
| allow var_t noxattrfs:filesystem associate; |
| allow var_lib_t fs_t:filesystem associate; |
| allow var_lib_t noxattrfs:filesystem associate; |
| allow var_lock_t fs_t:filesystem associate; |
| allow var_lock_t noxattrfs:filesystem associate; |
| allow var_run_t fs_t:filesystem associate; |
| allow var_run_t noxattrfs:filesystem associate; |
| allow var_spool_t fs_t:filesystem associate; |
| allow var_spool_t noxattrfs:filesystem associate; |
| typeattribute var_spool_t file_type; |
| allow var_spool_t fs_t:filesystem associate; |
| allow var_spool_t noxattrfs:filesystem associate; |
| typeattribute var_spool_t file_type; |
| typeattribute var_spool_t polymember; |
| allow var_spool_t tmpfs_t:filesystem associate; |
| typeattribute var_spool_t tmpfile; |
| allow var_spool_t tmp_t:filesystem associate; |
| typeattribute fs_t filesystem_type; |
| allow fs_t self:filesystem associate; |
| typeattribute bdev_t filesystem_type; |
| allow bdev_t self:filesystem associate; |
| typeattribute binfmt_misc_fs_t filesystem_type; |
| allow binfmt_misc_fs_t self:filesystem associate; |
| allow binfmt_misc_fs_t fs_t:filesystem associate; |
| allow binfmt_misc_fs_t noxattrfs:filesystem associate; |
| typeattribute binfmt_misc_fs_t file_type; |
| typeattribute binfmt_misc_fs_t mountpoint; |
| typeattribute capifs_t filesystem_type; |
| allow capifs_t self:filesystem associate; |
| typeattribute configfs_t filesystem_type; |
| allow configfs_t self:filesystem associate; |
| typeattribute eventpollfs_t filesystem_type; |
| allow eventpollfs_t self:filesystem associate; |
| typeattribute futexfs_t filesystem_type; |
| allow futexfs_t self:filesystem associate; |
| typeattribute hugetlbfs_t filesystem_type; |
| allow hugetlbfs_t self:filesystem associate; |
| allow hugetlbfs_t fs_t:filesystem associate; |
| allow hugetlbfs_t noxattrfs:filesystem associate; |
| typeattribute hugetlbfs_t file_type; |
| typeattribute hugetlbfs_t mountpoint; |
| typeattribute inotifyfs_t filesystem_type; |
| allow inotifyfs_t self:filesystem associate; |
| typeattribute nfsd_fs_t filesystem_type; |
| allow nfsd_fs_t self:filesystem associate; |
| typeattribute ramfs_t filesystem_type; |
| allow ramfs_t self:filesystem associate; |
| typeattribute romfs_t filesystem_type; |
| allow romfs_t self:filesystem associate; |
| typeattribute rpc_pipefs_t filesystem_type; |
| allow rpc_pipefs_t self:filesystem associate; |
| typeattribute tmpfs_t filesystem_type; |
| allow tmpfs_t self:filesystem associate; |
| allow tmpfs_t fs_t:filesystem associate; |
| allow tmpfs_t noxattrfs:filesystem associate; |
| typeattribute tmpfs_t file_type; |
| allow tmpfs_t fs_t:filesystem associate; |
| allow tmpfs_t noxattrfs:filesystem associate; |
| typeattribute tmpfs_t file_type; |
| typeattribute tmpfs_t mountpoint; |
| allow tmpfs_t noxattrfs:filesystem associate; |
| typeattribute autofs_t filesystem_type; |
| allow autofs_t self:filesystem associate; |
| allow autofs_t fs_t:filesystem associate; |
| allow autofs_t noxattrfs:filesystem associate; |
| typeattribute autofs_t file_type; |
| typeattribute autofs_t mountpoint; |
| typeattribute cifs_t filesystem_type; |
| allow cifs_t self:filesystem associate; |
| typeattribute dosfs_t filesystem_type; |
| allow dosfs_t self:filesystem associate; |
| allow dosfs_t fs_t:filesystem associate; |
| typeattribute iso9660_t filesystem_type; |
| allow iso9660_t self:filesystem associate; |
| allow removable_t noxattrfs:filesystem associate; |
| typeattribute removable_t filesystem_type; |
| allow removable_t self:filesystem associate; |
| allow removable_t fs_t:filesystem associate; |
| allow removable_t noxattrfs:filesystem associate; |
| typeattribute removable_t file_type; |
| typeattribute removable_t usercanread; |
| typeattribute nfs_t filesystem_type; |
| allow nfs_t self:filesystem associate; |
| allow nfs_t fs_t:filesystem associate; |
| allow nfs_t noxattrfs:filesystem associate; |
| typeattribute nfs_t file_type; |
| typeattribute nfs_t mountpoint; |
| neverallow ~can_load_kernmodule self:capability sys_module; |
| role system_r; |
| role sysadm_r; |
| role staff_r; |
| role user_r; |
| role secadm_r; |
| typeattribute kernel_t domain; |
| allow kernel_t self:dir { read getattr lock search ioctl }; |
| allow kernel_t self:lnk_file { read getattr lock ioctl }; |
| allow kernel_t self:file { getattr read write append ioctl lock }; |
| allow kernel_t self:process { fork sigchld }; |
| role secadm_r types kernel_t; |
| role sysadm_r types kernel_t; |
| role user_r types kernel_t; |
| role staff_r types kernel_t; |
| typeattribute kernel_t privrangetrans; |
| role system_r types kernel_t; |
| typeattribute debugfs_t filesystem_type; |
| allow debugfs_t self:filesystem associate; |
| allow debugfs_t self:filesystem associate; |
| allow proc_t fs_t:filesystem associate; |
| allow proc_t noxattrfs:filesystem associate; |
| typeattribute proc_t file_type; |
| typeattribute proc_t mountpoint; |
| typeattribute proc_t filesystem_type; |
| allow proc_t self:filesystem associate; |
| neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; |
| neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; |
| allow sysctl_t fs_t:filesystem associate; |
| allow sysctl_t noxattrfs:filesystem associate; |
| typeattribute sysctl_t file_type; |
| typeattribute sysctl_t mountpoint; |
| allow sysctl_fs_t fs_t:filesystem associate; |
| allow sysctl_fs_t noxattrfs:filesystem associate; |
| typeattribute sysctl_fs_t file_type; |
| typeattribute sysctl_fs_t mountpoint; |
| allow kernel_t self:capability *; |
| allow kernel_t unlabeled_t:dir mounton; |
| allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
| allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; |
| allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; |
| allow kernel_t self:msg { send receive }; |
| allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; |
| allow kernel_t self:unix_dgram_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; |
| allow kernel_t self:unix_stream_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } listen accept }; |
| allow kernel_t self:unix_dgram_socket sendto; |
| allow kernel_t self:unix_stream_socket connectto; |
| allow kernel_t self:fifo_file { getattr read write append ioctl lock }; |
| allow kernel_t self:sock_file { read getattr lock ioctl }; |
| allow kernel_t self:fd use; |
| allow kernel_t proc_t:dir { read getattr lock search ioctl }; |
| allow kernel_t proc_t:{ lnk_file file } { read getattr lock ioctl }; |
| allow kernel_t proc_net_t:dir { read getattr lock search ioctl }; |
| allow kernel_t proc_net_t:file { read getattr lock ioctl }; |
| allow kernel_t proc_mdstat_t:file { read getattr lock ioctl }; |
| allow kernel_t proc_kcore_t:file getattr; |
| allow kernel_t proc_kmsg_t:file getattr; |
| allow kernel_t sysctl_t:dir { read getattr lock search ioctl }; |
| allow kernel_t sysctl_kernel_t:dir { read getattr lock search ioctl }; |
| allow kernel_t sysctl_kernel_t:file { read getattr lock ioctl }; |
| allow kernel_t unlabeled_t:fifo_file { getattr read write append ioctl lock }; |
| allow kernel_t unlabeled_t:association { sendto recvfrom }; |
| allow kernel_t netif_type:netif rawip_send; |
| allow kernel_t netif_type:netif rawip_recv; |
| allow kernel_t node_type:node rawip_send; |
| allow kernel_t node_type:node rawip_recv; |
| allow kernel_t netif_t:netif rawip_send; |
| allow kernel_t netif_type:netif { tcp_send tcp_recv }; |
| allow kernel_t node_type:node { tcp_send tcp_recv }; |
| allow kernel_t node_t:node rawip_send; |
| allow kernel_t multicast_node_t:node rawip_send; |
| allow kernel_t sysfs_t:dir { read getattr lock search ioctl }; |
| allow kernel_t sysfs_t:{ file lnk_file } { read getattr lock ioctl }; |
| allow kernel_t usbfs_t:dir search; |
| allow kernel_t filesystem_type:filesystem mount; |
| allow kernel_t security_t:dir { read search getattr }; |
| allow kernel_t security_t:file { getattr read write }; |
| typeattribute kernel_t can_load_policy; |
| if(!secure_mode_policyload) { |
| allow kernel_t security_t:security load_policy; |
| auditallow kernel_t security_t:security load_policy; |
| } |
| allow kernel_t device_t:dir { read getattr lock search ioctl }; |
| allow kernel_t device_t:lnk_file { getattr read }; |
| allow kernel_t console_device_t:chr_file { getattr read write append ioctl lock }; |
| allow kernel_t bin_t:dir { read getattr lock search ioctl }; |
| allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; |
| allow kernel_t shell_exec_t:file { { read getattr lock execute ioctl } execute_no_trans }; |
| allow kernel_t sbin_t:dir { read getattr lock search ioctl }; |
| allow kernel_t bin_t:dir { read getattr lock search ioctl }; |
| allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; |
| allow kernel_t bin_t:file { { read getattr lock execute ioctl } execute_no_trans }; |
| allow kernel_t domain:process signal; |
| allow kernel_t proc_t:dir search; |
| allow kernel_t domain:dir search; |
| allow kernel_t root_t:dir { read getattr lock search ioctl }; |
| allow kernel_t root_t:lnk_file { read getattr lock ioctl }; |
| allow kernel_t etc_t:dir { read getattr lock search ioctl }; |
| allow kernel_t home_root_t:dir { read getattr lock search ioctl }; |
| allow kernel_t usr_t:dir { read getattr lock search ioctl }; |
| allow kernel_t usr_t:{ file lnk_file } { read getattr lock ioctl }; |
| typeattribute kernel_t mlsprocread; |
| typeattribute kernel_t mlsprocwrite; |
| allow kernel_t self:capability *; |
| allow kernel_t self:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; |
| allow kernel_t self:process transition; |
| allow kernel_t self:file { getattr read write append ioctl lock }; |
| allow kernel_t self:nscd *; |
| allow kernel_t self:dbus *; |
| allow kernel_t self:passwd *; |
| allow kernel_t proc_type:{ dir file } *; |
| allow kernel_t sysctl_t:{ dir file } *; |
| allow kernel_t kernel_t:system *; |
| allow kernel_t unlabeled_t:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; |
| allow kernel_t unlabeled_t:filesystem *; |
| allow kernel_t unlabeled_t:association *; |
| typeattribute kernel_t can_load_kernmodule, can_receive_kernel_messages; |
| typeattribute kernel_t kern_unconfined; |
| allow kernel_t { proc_t proc_net_t }:dir search; |
| allow kernel_t sysctl_type:dir { read getattr lock search ioctl }; |
| allow kernel_t sysctl_type:file { { getattr read write append ioctl lock } setattr }; |
| allow kernel_t node_type:node *; |
| allow kernel_t netif_type:netif *; |
| allow kernel_t port_type:tcp_socket { send_msg recv_msg name_connect }; |
| allow kernel_t port_type:udp_socket { send_msg recv_msg }; |
| allow kernel_t port_type:{ tcp_socket udp_socket rawip_socket } name_bind; |
| allow kernel_t node_type:{ tcp_socket udp_socket rawip_socket } node_bind; |
| allow kernel_t unlabeled_t:association { sendto recvfrom }; |
| allow kernel_t device_node:{ chr_file blk_file } *; |
| allow kernel_t mtrr_device_t:{ dir file } *; |
| allow kernel_t self:capability sys_rawio; |
| typeattribute kernel_t memory_raw_write, memory_raw_read; |
| typeattribute kernel_t unconfined_domain_type; |
| typeattribute kernel_t can_change_process_identity; |
| typeattribute kernel_t can_change_process_role; |
| typeattribute kernel_t can_change_object_identity; |
| typeattribute kernel_t set_curr_context; |
| allow kernel_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } socket key_socket } *; |
| allow kernel_t domain:fd use; |
| allow kernel_t domain:fifo_file { getattr read write append ioctl lock }; |
| allow kernel_t domain:process ~{ transition dyntransition execmem execstack execheap }; |
| allow kernel_t domain:{ sem msgq shm } *; |
| allow kernel_t domain:msg { send receive }; |
| allow kernel_t domain:dir { read getattr lock search ioctl }; |
| allow kernel_t domain:file { read getattr lock ioctl }; |
| allow kernel_t domain:lnk_file { read getattr lock ioctl }; |
| dontaudit kernel_t domain:dir { read getattr lock search ioctl }; |
| dontaudit kernel_t domain:lnk_file { read getattr lock ioctl }; |
| dontaudit kernel_t domain:file { read getattr lock ioctl }; |
| dontaudit kernel_t domain:sock_file { read getattr lock ioctl }; |
| dontaudit kernel_t domain:fifo_file { read getattr lock ioctl }; |
| allow kernel_t file_type:{ file chr_file } ~execmod; |
| allow kernel_t file_type:{ dir lnk_file sock_file fifo_file blk_file } *; |
| allow kernel_t file_type:filesystem *; |
| allow kernel_t file_type:{ unix_stream_socket unix_dgram_socket } name_bind; |
| if (allow_execmod) { |
| allow kernel_t file_type:file execmod; |
| } |
| allow kernel_t filesystem_type:filesystem *; |
| allow kernel_t filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; |
| allow kernel_t security_t:dir { getattr search read }; |
| allow kernel_t security_t:file { getattr read write }; |
| typeattribute kernel_t can_load_policy, can_setenforce, can_setsecparam; |
| if(!secure_mode_policyload) { |
| allow kernel_t security_t:security *; |
| auditallow kernel_t security_t:security { load_policy setenforce setbool }; |
| } |
| if (allow_execheap) { |
| allow kernel_t self:process execheap; |
| } |
| if (allow_execmem) { |
| allow kernel_t self:process execmem; |
| } |
| if (allow_execmem && allow_execstack) { |
| allow kernel_t self:process execstack; |
| auditallow kernel_t self:process execstack; |
| } else { |
| } |
| if (allow_execheap) { |
| auditallow kernel_t self:process execheap; |
| } |
| if (allow_execmem) { |
| auditallow kernel_t self:process execmem; |
| } |
| if (read_default_t) { |
| allow kernel_t default_t:dir { read getattr lock search ioctl }; |
| allow kernel_t default_t:file { read getattr lock ioctl }; |
| allow kernel_t default_t:lnk_file { read getattr lock ioctl }; |
| allow kernel_t default_t:sock_file { read getattr lock ioctl }; |
| allow kernel_t default_t:fifo_file { read getattr lock ioctl }; |
| } |
| allow unlabeled_t self:filesystem associate; |
| range_transition getty_t login_exec_t s0 - s0:c0.c255; |
| range_transition init_t xdm_exec_t s0 - s0:c0.c255; |
| range_transition initrc_t crond_exec_t s0 - s0:c0.c255; |
| range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; |
| range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; |
| range_transition initrc_t udev_exec_t s0 - s0:c0.c255; |
| range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; |
| range_transition kernel_t udev_exec_t s0 - s0:c0.c255; |
| range_transition unconfined_t su_exec_t s0 - s0:c0.c255; |
| range_transition unconfined_t initrc_exec_t s0; |
| typeattribute security_t filesystem_type; |
| allow security_t self:filesystem associate; |
| typeattribute security_t mlstrustedobject; |
| neverallow ~can_load_policy security_t:security load_policy; |
| neverallow ~can_setenforce security_t:security setenforce; |
| neverallow ~can_setsecparam security_t:security setsecparam; |
| typeattribute bsdpty_device_t device_node; |
| allow bsdpty_device_t fs_t:filesystem associate; |
| allow bsdpty_device_t tmpfs_t:filesystem associate; |
| allow bsdpty_device_t tmp_t:filesystem associate; |
| typeattribute console_device_t device_node; |
| allow console_device_t fs_t:filesystem associate; |
| allow console_device_t tmpfs_t:filesystem associate; |
| allow console_device_t tmp_t:filesystem associate; |
| allow devpts_t fs_t:filesystem associate; |
| allow devpts_t noxattrfs:filesystem associate; |
| typeattribute devpts_t file_type; |
| typeattribute devpts_t mountpoint; |
| allow devpts_t tmpfs_t:filesystem associate; |
| allow devpts_t tmp_t:filesystem associate; |
| typeattribute devpts_t filesystem_type; |
| allow devpts_t self:filesystem associate; |
| typeattribute devpts_t ttynode, ptynode; |
| typeattribute devtty_t device_node; |
| allow devtty_t fs_t:filesystem associate; |
| allow devtty_t tmpfs_t:filesystem associate; |
| allow devtty_t tmp_t:filesystem associate; |
| typeattribute devtty_t mlstrustedobject; |
| typeattribute ptmx_t device_node; |
| allow ptmx_t fs_t:filesystem associate; |
| allow ptmx_t tmpfs_t:filesystem associate; |
| allow ptmx_t tmp_t:filesystem associate; |
| typeattribute ptmx_t mlstrustedobject; |
| typeattribute tty_device_t device_node; |
| allow tty_device_t fs_t:filesystem associate; |
| allow tty_device_t tmpfs_t:filesystem associate; |
| allow tty_device_t tmp_t:filesystem associate; |
| typeattribute tty_device_t ttynode; |
| typeattribute usbtty_device_t device_node; |
| allow usbtty_device_t fs_t:filesystem associate; |
| allow usbtty_device_t tmpfs_t:filesystem associate; |
| allow usbtty_device_t tmp_t:filesystem associate; |
| user system_u roles { system_r } level s0 range s0 - s0:c0.c255; |
| user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; |
| user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; |
| constrain process transition |
| ( u1 == u2 |
| or t1 == can_change_process_identity |
| ); |
| constrain process transition |
| ( r1 == r2 |
| or t1 == can_change_process_role |
| ); |
| constrain process dyntransition |
| ( u1 == u2 and r1 == r2 ); |
| constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create relabelto relabelfrom } |
| ( u1 == u2 or t1 == can_change_object_identity ); |
| constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } { create relabelto relabelfrom } |
| ( u1 == u2 or t1 == can_change_object_identity ); |
| sid port system_u:object_r:port_t:s0 |
| sid node system_u:object_r:node_t:s0 |
| sid netif system_u:object_r:netif_t:s0 |
| sid devnull system_u:object_r:null_device_t:s0 |
| sid file system_u:object_r:file_t:s0 |
| sid fs system_u:object_r:fs_t:s0 |
| sid kernel system_u:system_r:kernel_t:s0 |
| sid sysctl system_u:object_r:sysctl_t:s0 |
| sid unlabeled system_u:object_r:unlabeled_t:s0 |
| sid any_socket system_u:object_r:unlabeled_t:s0 |
| sid file_labels system_u:object_r:unlabeled_t:s0 |
| sid icmp_socket system_u:object_r:unlabeled_t:s0 |
| sid igmp_packet system_u:object_r:unlabeled_t:s0 |
| sid init system_u:object_r:unlabeled_t:s0 |
| sid kmod system_u:object_r:unlabeled_t:s0 |
| sid netmsg system_u:object_r:unlabeled_t:s0 |
| sid policy system_u:object_r:unlabeled_t:s0 |
| sid scmp_packet system_u:object_r:unlabeled_t:s0 |
| sid sysctl_modprobe system_u:object_r:unlabeled_t:s0 |
| sid sysctl_fs system_u:object_r:unlabeled_t:s0 |
| sid sysctl_kernel system_u:object_r:unlabeled_t:s0 |
| sid sysctl_net system_u:object_r:unlabeled_t:s0 |
| sid sysctl_net_unix system_u:object_r:unlabeled_t:s0 |
| sid sysctl_vm system_u:object_r:unlabeled_t:s0 |
| sid sysctl_dev system_u:object_r:unlabeled_t:s0 |
| sid tcp_socket system_u:object_r:unlabeled_t:s0 |
| sid security system_u:object_r:security_t:s0 |
| fs_use_xattr ext2 system_u:object_r:fs_t:s0; |
| fs_use_xattr ext3 system_u:object_r:fs_t:s0; |
| fs_use_xattr gfs system_u:object_r:fs_t:s0; |
| fs_use_xattr jfs system_u:object_r:fs_t:s0; |
| fs_use_xattr reiserfs system_u:object_r:fs_t:s0; |
| fs_use_xattr xfs system_u:object_r:fs_t:s0; |
| fs_use_task pipefs system_u:object_r:fs_t:s0; |
| fs_use_task sockfs system_u:object_r:fs_t:s0; |
| fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; |
| fs_use_trans shm system_u:object_r:tmpfs_t:s0; |
| fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; |
| fs_use_trans devpts system_u:object_r:devpts_t:s0; |
| genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 |
| genfscon sysfs / system_u:object_r:sysfs_t:s0 |
| genfscon usbfs / system_u:object_r:usbfs_t:s0 |
| genfscon usbdevfs / system_u:object_r:usbfs_t:s0 |
| genfscon rootfs / system_u:object_r:root_t:s0 |
| genfscon bdev / system_u:object_r:bdev_t:s0 |
| genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 |
| genfscon capifs / system_u:object_r:capifs_t:s0 |
| genfscon configfs / system_u:object_r:configfs_t:s0 |
| genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 |
| genfscon futexfs / system_u:object_r:futexfs_t:s0 |
| genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 |
| genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 |
| genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 |
| genfscon ramfs / system_u:object_r:ramfs_t:s0 |
| genfscon romfs / system_u:object_r:romfs_t:s0 |
| genfscon cramfs / system_u:object_r:romfs_t:s0 |
| genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 |
| genfscon autofs / system_u:object_r:autofs_t:s0 |
| genfscon automount / system_u:object_r:autofs_t:s0 |
| genfscon cifs / system_u:object_r:cifs_t:s0 |
| genfscon smbfs / system_u:object_r:cifs_t:s0 |
| genfscon fat / system_u:object_r:dosfs_t:s0 |
| genfscon msdos / system_u:object_r:dosfs_t:s0 |
| genfscon ntfs / system_u:object_r:dosfs_t:s0 |
| genfscon vfat / system_u:object_r:dosfs_t:s0 |
| genfscon iso9660 / system_u:object_r:iso9660_t:s0 |
| genfscon udf / system_u:object_r:iso9660_t:s0 |
| genfscon nfs / system_u:object_r:nfs_t:s0 |
| genfscon nfs4 / system_u:object_r:nfs_t:s0 |
| genfscon afs / system_u:object_r:nfs_t:s0 |
| genfscon hfsplus / system_u:object_r:nfs_t:s0 |
| genfscon debugfs / system_u:object_r:debugfs_t:s0 |
| genfscon proc / system_u:object_r:proc_t:s0 |
| genfscon proc /sysvipc system_u:object_r:proc_t:s0 |
| genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0 |
| genfscon proc /kcore system_u:object_r:proc_kcore_t:s0 |
| genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 |
| genfscon proc /net system_u:object_r:proc_net_t:s0 |
| genfscon proc /xen system_u:object_r:proc_xen_t:s0 |
| genfscon proc /sys system_u:object_r:sysctl_t:s0 |
| genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 |
| genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 |
| genfscon proc /sys/fs system_u:object_r:sysctl_fs_t:s0 |
| genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 |
| genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 |
| genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 |
| genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 |
| genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 |
| genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 |
| genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 |
| genfscon selinuxfs / system_u:object_r:security_t:s0 |
| portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 |
| portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 |
| portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 |
| portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 |
| portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 |
| portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 |
| portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 |
| portcon udp 10080 system_u:object_r:amanda_port_t:s0 |
| portcon tcp 10080 system_u:object_r:amanda_port_t:s0 |
| portcon udp 10081 system_u:object_r:amanda_port_t:s0 |
| portcon tcp 10081 system_u:object_r:amanda_port_t:s0 |
| portcon tcp 10082 system_u:object_r:amanda_port_t:s0 |
| portcon tcp 10083 system_u:object_r:amanda_port_t:s0 |
| portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 |
| portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 |
| portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 |
| portcon udp 2427 system_u:object_r:asterisk_port_t:s0 |
| portcon udp 2727 system_u:object_r:asterisk_port_t:s0 |
| portcon udp 4569 system_u:object_r:asterisk_port_t:s0 |
| portcon udp 5060 system_u:object_r:asterisk_port_t:s0 |
| portcon tcp 113 system_u:object_r:auth_port_t:s0 |
| portcon tcp 179 system_u:object_r:bgp_port_t:s0 |
| portcon udp 179 system_u:object_r:bgp_port_t:s0 |
| portcon tcp 3310 system_u:object_r:clamd_port_t:s0 |
| portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 |
| portcon udp 512 system_u:object_r:comsat_port_t:s0 |
| portcon tcp 2401 system_u:object_r:cvs_port_t:s0 |
| portcon udp 2401 system_u:object_r:cvs_port_t:s0 |
| portcon udp 6276 system_u:object_r:dcc_port_t:s0 |
| portcon udp 6277 system_u:object_r:dcc_port_t:s0 |
| portcon tcp 1178 system_u:object_r:dbskkd_port_t:s0 |
| portcon udp 68 system_u:object_r:dhcpc_port_t:s0 |
| portcon udp 67 system_u:object_r:dhcpd_port_t:s0 |
| portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 |
| portcon udp 647 system_u:object_r:dhcpd_port_t:s0 |
| portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 |
| portcon udp 847 system_u:object_r:dhcpd_port_t:s0 |
| portcon tcp 2628 system_u:object_r:dict_port_t:s0 |
| portcon tcp 3632 system_u:object_r:distccd_port_t:s0 |
| portcon udp 53 system_u:object_r:dns_port_t:s0 |
| portcon tcp 53 system_u:object_r:dns_port_t:s0 |
| portcon tcp 79 system_u:object_r:fingerd_port_t:s0 |
| portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 |
| portcon tcp 21 system_u:object_r:ftp_port_t:s0 |
| portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 |
| portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 |
| portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 |
| portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 |
| portcon tcp 1213 system_u:object_r:giftd_port_t:s0 |
| portcon tcp 70 system_u:object_r:gopher_port_t:s0 |
| portcon udp 70 system_u:object_r:gopher_port_t:s0 |
| portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 |
| portcon udp 3130 system_u:object_r:http_cache_port_t:s0 |
| portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 |
| portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 |
| portcon tcp 80 system_u:object_r:http_port_t:s0 |
| portcon tcp 443 system_u:object_r:http_port_t:s0 |
| portcon tcp 488 system_u:object_r:http_port_t:s0 |
| portcon tcp 8008 system_u:object_r:http_port_t:s0 |
| portcon tcp 9050 system_u:object_r:http_port_t:s0 |
| portcon tcp 5335 system_u:object_r:howl_port_t:s0 |
| portcon udp 5353 system_u:object_r:howl_port_t:s0 |
| portcon tcp 50000 system_u:object_r:hplip_port_t:s0 |
| portcon tcp 50002 system_u:object_r:hplip_port_t:s0 |
| portcon tcp 9010 system_u:object_r:i18n_input_port_t:s0 |
| portcon tcp 5323 system_u:object_r:imaze_port_t:s0 |
| portcon udp 5323 system_u:object_r:imaze_port_t:s0 |
| portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 7 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 9 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 13 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 19 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 37 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 891 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 |
| portcon udp 892 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 |
| portcon tcp 119 system_u:object_r:innd_port_t:s0 |
| portcon tcp 631 system_u:object_r:ipp_port_t:s0 |
| portcon udp 631 system_u:object_r:ipp_port_t:s0 |
| portcon tcp 6667 system_u:object_r:ircd_port_t:s0 |
| portcon udp 500 system_u:object_r:isakmp_port_t:s0 |
| portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 |
| portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 |
| portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 |
| portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 |
| portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 |
| portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 |
| portcon tcp 4444 system_u:object_r:kerberos_master_port_t:s0 |
| portcon udp 4444 system_u:object_r:kerberos_master_port_t:s0 |
| portcon tcp 88 system_u:object_r:kerberos_port_t:s0 |
| portcon udp 88 system_u:object_r:kerberos_port_t:s0 |
| portcon tcp 750 system_u:object_r:kerberos_port_t:s0 |
| portcon udp 750 system_u:object_r:kerberos_port_t:s0 |
| portcon udp 517 system_u:object_r:ktalkd_port_t:s0 |
| portcon udp 518 system_u:object_r:ktalkd_port_t:s0 |
| portcon tcp 389 system_u:object_r:ldap_port_t:s0 |
| portcon udp 389 system_u:object_r:ldap_port_t:s0 |
| portcon tcp 636 system_u:object_r:ldap_port_t:s0 |
| portcon udp 636 system_u:object_r:ldap_port_t:s0 |
| portcon tcp 2000 system_u:object_r:mail_port_t:s0 |
| portcon tcp 1234 system_u:object_r:monopd_port_t:s0 |
| portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 |
| portcon tcp 1241 system_u:object_r:nessus_port_t:s0 |
| portcon udp 137 system_u:object_r:nmbd_port_t:s0 |
| portcon udp 138 system_u:object_r:nmbd_port_t:s0 |
| portcon udp 139 system_u:object_r:nmbd_port_t:s0 |
| portcon udp 123 system_u:object_r:ntp_port_t:s0 |
| portcon udp 5000 system_u:object_r:openvpn_port_t:s0 |
| portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 |
| portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 |
| portcon tcp 106 system_u:object_r:pop_port_t:s0 |
| portcon tcp 109 system_u:object_r:pop_port_t:s0 |
| portcon tcp 110 system_u:object_r:pop_port_t:s0 |
| portcon tcp 143 system_u:object_r:pop_port_t:s0 |
| portcon tcp 220 system_u:object_r:pop_port_t:s0 |
| portcon tcp 993 system_u:object_r:pop_port_t:s0 |
| portcon tcp 995 system_u:object_r:pop_port_t:s0 |
| portcon tcp 1109 system_u:object_r:pop_port_t:s0 |
| portcon udp 111 system_u:object_r:portmap_port_t:s0 |
| portcon tcp 111 system_u:object_r:portmap_port_t:s0 |
| portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 |
| portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 |
| portcon tcp 515 system_u:object_r:printer_port_t:s0 |
| portcon tcp 5703 system_u:object_r:ptal_port_t:s0 |
| portcon udp 4011 system_u:object_r:pxe_port_t:s0 |
| portcon udp 24441 system_u:object_r:pyzor_port_t:s0 |
| portcon udp 1646 system_u:object_r:radacct_port_t:s0 |
| portcon udp 1813 system_u:object_r:radacct_port_t:s0 |
| portcon udp 1645 system_u:object_r:radius_port_t:s0 |
| portcon udp 1812 system_u:object_r:radius_port_t:s0 |
| portcon tcp 2703 system_u:object_r:razor_port_t:s0 |
| portcon tcp 513 system_u:object_r:rlogind_port_t:s0 |
| portcon tcp 953 system_u:object_r:rndc_port_t:s0 |
| portcon udp 520 system_u:object_r:router_port_t:s0 |
| portcon tcp 514 system_u:object_r:rsh_port_t:s0 |
| portcon tcp 873 system_u:object_r:rsync_port_t:s0 |
| portcon udp 873 system_u:object_r:rsync_port_t:s0 |
| portcon tcp 137-139 system_u:object_r:smbd_port_t:s0 |
| portcon tcp 445 system_u:object_r:smbd_port_t:s0 |
| portcon tcp 25 system_u:object_r:smtp_port_t:s0 |
| portcon tcp 465 system_u:object_r:smtp_port_t:s0 |
| portcon tcp 587 system_u:object_r:smtp_port_t:s0 |
| portcon udp 161 system_u:object_r:snmp_port_t:s0 |
| portcon udp 162 system_u:object_r:snmp_port_t:s0 |
| portcon tcp 199 system_u:object_r:snmp_port_t:s0 |
| portcon tcp 783 system_u:object_r:spamd_port_t:s0 |
| portcon tcp 22 system_u:object_r:ssh_port_t:s0 |
| portcon tcp 8000 system_u:object_r:soundd_port_t:s0 |
| portcon tcp 9433 system_u:object_r:soundd_port_t:s0 |
| portcon tcp 901 system_u:object_r:swat_port_t:s0 |
| portcon udp 514 system_u:object_r:syslogd_port_t:s0 |
| portcon tcp 23 system_u:object_r:telnetd_port_t:s0 |
| portcon udp 69 system_u:object_r:tftp_port_t:s0 |
| portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 |
| portcon tcp 540 system_u:object_r:uucpd_port_t:s0 |
| portcon tcp 5900 system_u:object_r:vnc_port_t:s0 |
| portcon tcp 6001 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6002 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6003 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6004 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6005 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6006 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6007 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6008 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6009 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6010 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6011 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6012 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6013 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6014 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6015 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6016 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6017 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6018 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 6019 system_u:object_r:xserver_port_t:s0 |
| portcon tcp 8002 system_u:object_r:xen_port_t:s0 |
| portcon tcp 2601 system_u:object_r:zebra_port_t:s0 |
| portcon tcp 8021 system_u:object_r:zope_port_t:s0 |
| portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 |
| portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 |
| nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0 |
| nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0 |
| nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0 |
| nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 |
| nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0 |
| nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 |
| nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0 |
| nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0 |
