1class security 2class process 3class system 4class capability 5class filesystem 6class file 7class dir 8class fd 9class lnk_file 10class chr_file 11class blk_file 12class sock_file 13class fifo_file 14class socket 15class tcp_socket 16class udp_socket 17class rawip_socket 18class node 19class netif 20class netlink_socket 21class packet_socket 22class key_socket 23class unix_stream_socket 24class unix_dgram_socket 25class sem 26class msg 27class msgq 28class shm 29class ipc 30class passwd # userspace 31class drawable # userspace 32class window # userspace 33class gc # userspace 34class font # userspace 35class colormap # userspace 36class property # userspace 37class cursor # userspace 38class xclient # userspace 39class xinput # userspace 40class xserver # userspace 41class xextension # userspace 42class pax 43class netlink_route_socket 44class netlink_firewall_socket 45class netlink_tcpdiag_socket 46class netlink_nflog_socket 47class netlink_xfrm_socket 48class netlink_selinux_socket 49class netlink_audit_socket 50class netlink_ip6fw_socket 51class netlink_dnrt_socket 52class dbus # userspace 53class nscd # userspace 54class association 55class netlink_kobject_uevent_socket 56sid kernel 57sid security 58sid unlabeled 59sid fs 60sid file 61sid file_labels 62sid init 63sid any_socket 64sid port 65sid netif 66sid netmsg 67sid node 68sid igmp_packet 69sid icmp_socket 70sid tcp_socket 71sid sysctl_modprobe 72sid sysctl 73sid sysctl_fs 74sid sysctl_kernel 75sid sysctl_net 76sid sysctl_net_unix 77sid sysctl_vm 78sid sysctl_dev 79sid kmod 80sid policy 81sid scmp_packet 82sid devnull 83common file 84{ 85 ioctl 86 read 87 write 88 create 89 getattr 90 setattr 91 lock 92 relabelfrom 93 relabelto 94 append 95 unlink 96 link 97 rename 98 execute 99 swapon 100 quotaon 101 mounton 102} 103common socket 104{ 105 ioctl 106 read 107 write 108 create 109 getattr 110 setattr 111 lock 112 relabelfrom 113 relabelto 114 append 115 bind 116 connect 117 listen 118 accept 119 getopt 120 setopt 121 shutdown 122 recvfrom 123 sendto 124 recv_msg 125 send_msg 126 name_bind 127} 128common ipc 129{ 130 create 131 destroy 132 getattr 133 setattr 134 read 135 write 136 associate 137 unix_read 138 unix_write 139} 140class filesystem 141{ 142 mount 143 remount 144 unmount 145 getattr 146 relabelfrom 147 relabelto 148 transition 149 associate 150 quotamod 151 quotaget 152} 153class dir 154inherits file 155{ 156 add_name 157 remove_name 158 reparent 159 search 160 rmdir 161} 162class file 163inherits file 164{ 165 execute_no_trans 166 entrypoint 167 execmod 168} 169class lnk_file 170inherits file 171class chr_file 172inherits file 173{ 174 execute_no_trans 175 entrypoint 176 execmod 177} 178class blk_file 179inherits file 180class sock_file 181inherits file 182class fifo_file 183inherits file 184class fd 185{ 186 use 187} 188class socket 189inherits socket 190class tcp_socket 191inherits socket 192{ 193 connectto 194 newconn 195 acceptfrom 196 node_bind 197 name_connect 198} 199class udp_socket 200inherits socket 201{ 202 node_bind 203} 204class rawip_socket 205inherits socket 206{ 207 node_bind 208} 209class node 210{ 211 tcp_recv 212 tcp_send 213 udp_recv 214 udp_send 215 rawip_recv 216 rawip_send 217 enforce_dest 218} 219class netif 220{ 221 tcp_recv 222 tcp_send 223 udp_recv 224 udp_send 225 rawip_recv 226 rawip_send 227} 228class netlink_socket 229inherits socket 230class packet_socket 231inherits socket 232class key_socket 233inherits socket 234class unix_stream_socket 235inherits socket 236{ 237 connectto 238 newconn 239 acceptfrom 240} 241class unix_dgram_socket 242inherits socket 243class process 244{ 245 fork 246 transition 247 sigchld # commonly granted from child to parent 248 sigkill # cannot be caught or ignored 249 sigstop # cannot be caught or ignored 250 signull # for kill(pid, 0) 251 signal # all other signals 252 ptrace 253 getsched 254 setsched 255 getsession 256 getpgid 257 setpgid 258 getcap 259 setcap 260 share 261 getattr 262 setexec 263 setfscreate 264 noatsecure 265 siginh 266 setrlimit 267 rlimitinh 268 dyntransition 269 setcurrent 270 execmem 271 execstack 272 execheap 273} 274class ipc 275inherits ipc 276class sem 277inherits ipc 278class msgq 279inherits ipc 280{ 281 enqueue 282} 283class msg 284{ 285 send 286 receive 287} 288class shm 289inherits ipc 290{ 291 lock 292} 293class security 294{ 295 compute_av 296 compute_create 297 compute_member 298 check_context 299 load_policy 300 compute_relabel 301 compute_user 302 setenforce # was avc_toggle in system class 303 setbool 304 setsecparam 305 setcheckreqprot 306} 307class system 308{ 309 ipc_info 310 syslog_read 311 syslog_mod 312 syslog_console 313} 314class capability 315{ 316 chown 317 dac_override 318 dac_read_search 319 fowner 320 fsetid 321 kill 322 setgid 323 setuid 324 setpcap 325 linux_immutable 326 net_bind_service 327 net_broadcast 328 net_admin 329 net_raw 330 ipc_lock 331 ipc_owner 332 sys_module 333 sys_rawio 334 sys_chroot 335 sys_ptrace 336 sys_pacct 337 sys_admin 338 sys_boot 339 sys_nice 340 sys_resource 341 sys_time 342 sys_tty_config 343 mknod 344 lease 345 audit_write 346 audit_control 347} 348class passwd 349{ 350 passwd # change another user passwd 351 chfn # change another user finger info 352 chsh # change another user shell 353 rootok # pam_rootok check (skip auth) 354 crontab # crontab on another user 355} 356class drawable 357{ 358 create 359 destroy 360 draw 361 copy 362 getattr 363} 364class gc 365{ 366 create 367 free 368 getattr 369 setattr 370} 371class window 372{ 373 addchild 374 create 375 destroy 376 map 377 unmap 378 chstack 379 chproplist 380 chprop 381 listprop 382 getattr 383 setattr 384 setfocus 385 move 386 chselection 387 chparent 388 ctrllife 389 enumerate 390 transparent 391 mousemotion 392 clientcomevent 393 inputevent 394 drawevent 395 windowchangeevent 396 windowchangerequest 397 serverchangeevent 398 extensionevent 399} 400class font 401{ 402 load 403 free 404 getattr 405 use 406} 407class colormap 408{ 409 create 410 free 411 install 412 uninstall 413 list 414 read 415 store 416 getattr 417 setattr 418} 419class property 420{ 421 create 422 free 423 read 424 write 425} 426class cursor 427{ 428 create 429 createglyph 430 free 431 assign 432 setattr 433} 434class xclient 435{ 436 kill 437} 438class xinput 439{ 440 lookup 441 getattr 442 setattr 443 setfocus 444 warppointer 445 activegrab 446 passivegrab 447 ungrab 448 bell 449 mousemotion 450 relabelinput 451} 452class xserver 453{ 454 screensaver 455 gethostlist 456 sethostlist 457 getfontpath 458 setfontpath 459 getattr 460 grab 461 ungrab 462} 463class xextension 464{ 465 query 466 use 467} 468class pax 469{ 470 pageexec # Paging based non-executable pages 471 emutramp # Emulate trampolines 472 mprotect # Restrict mprotect() 473 randmmap # Randomize mmap() base 474 randexec # Randomize ET_EXEC base 475 segmexec # Segmentation based non-executable pages 476} 477class netlink_route_socket 478inherits socket 479{ 480 nlmsg_read 481 nlmsg_write 482} 483class netlink_firewall_socket 484inherits socket 485{ 486 nlmsg_read 487 nlmsg_write 488} 489class netlink_tcpdiag_socket 490inherits socket 491{ 492 nlmsg_read 493 nlmsg_write 494} 495class netlink_nflog_socket 496inherits socket 497class netlink_xfrm_socket 498inherits socket 499{ 500 nlmsg_read 501 nlmsg_write 502} 503class netlink_selinux_socket 504inherits socket 505class netlink_audit_socket 506inherits socket 507{ 508 nlmsg_read 509 nlmsg_write 510 nlmsg_relay 511 nlmsg_readpriv 512} 513class netlink_ip6fw_socket 514inherits socket 515{ 516 nlmsg_read 517 nlmsg_write 518} 519class netlink_dnrt_socket 520inherits socket 521class dbus 522{ 523 acquire_svc 524 send_msg 525} 526class nscd 527{ 528 getpwd 529 getgrp 530 gethost 531 getstat 532 admin 533 shmempwd 534 shmemgrp 535 shmemhost 536} 537class association 538{ 539 sendto 540 recvfrom 541 setcontext 542} 543class netlink_kobject_uevent_socket 544inherits socket 545sensitivity s0; 546dominance { s0 } 547category c0; category c1; category c2; category c3; 548category c4; category c5; category c6; category c7; 549category c8; category c9; category c10; category c11; 550category c12; category c13; category c14; category c15; 551category c16; category c17; category c18; category c19; 552category c20; category c21; category c22; category c23; 553category c24; category c25; category c26; category c27; 554category c28; category c29; category c30; category c31; 555category c32; category c33; category c34; category c35; 556category c36; category c37; category c38; category c39; 557category c40; category c41; category c42; category c43; 558category c44; category c45; category c46; category c47; 559category c48; category c49; category c50; category c51; 560category c52; category c53; category c54; category c55; 561category c56; category c57; category c58; category c59; 562category c60; category c61; category c62; category c63; 563category c64; category c65; category c66; category c67; 564category c68; category c69; category c70; category c71; 565category c72; category c73; category c74; category c75; 566category c76; category c77; category c78; category c79; 567category c80; category c81; category c82; category c83; 568category c84; category c85; category c86; category c87; 569category c88; category c89; category c90; category c91; 570category c92; category c93; category c94; category c95; 571category c96; category c97; category c98; category c99; 572category c100; category c101; category c102; category c103; 573category c104; category c105; category c106; category c107; 574category c108; category c109; category c110; category c111; 575category c112; category c113; category c114; category c115; 576category c116; category c117; category c118; category c119; 577category c120; category c121; category c122; category c123; 578category c124; category c125; category c126; category c127; 579category c128; category c129; category c130; category c131; 580category c132; category c133; category c134; category c135; 581category c136; category c137; category c138; category c139; 582category c140; category c141; category c142; category c143; 583category c144; category c145; category c146; category c147; 584category c148; category c149; category c150; category c151; 585category c152; category c153; category c154; category c155; 586category c156; category c157; category c158; category c159; 587category c160; category c161; category c162; category c163; 588category c164; category c165; category c166; category c167; 589category c168; category c169; category c170; category c171; 590category c172; category c173; category c174; category c175; 591category c176; category c177; category c178; category c179; 592category c180; category c181; category c182; category c183; 593category c184; category c185; category c186; category c187; 594category c188; category c189; category c190; category c191; 595category c192; category c193; category c194; category c195; 596category c196; category c197; category c198; category c199; 597category c200; category c201; category c202; category c203; 598category c204; category c205; category c206; category c207; 599category c208; category c209; category c210; category c211; 600category c212; category c213; category c214; category c215; 601category c216; category c217; category c218; category c219; 602category c220; category c221; category c222; category c223; 603category c224; category c225; category c226; category c227; 604category c228; category c229; category c230; category c231; 605category c232; category c233; category c234; category c235; 606category c236; category c237; category c238; category c239; 607category c240; category c241; category c242; category c243; 608category c244; category c245; category c246; category c247; 609category c248; category c249; category c250; category c251; 610category c252; category c253; category c254; category c255; 611level s0:c0.c255; 612mlsconstrain file { write setattr append unlink link rename 613 ioctl lock execute relabelfrom } (h1 dom h2); 614mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); 615mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread )); 616mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } 617 ( h1 dom h2 ); 618mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } 619 (( h1 dom h2 ) and ( l2 eq h2 )); 620mlsconstrain process { ptrace } ( h1 dom h2 ); 621mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or 622 ( t1 == mcskillall ); 623mlsconstrain xextension query ( t1 == mlsfileread ); 624attribute netif_type; 625attribute node_type; 626attribute port_type; 627attribute reserved_port_type; 628attribute device_node; 629attribute memory_raw_read; 630attribute memory_raw_write; 631attribute domain; 632attribute unconfined_domain_type; 633attribute set_curr_context; 634attribute entry_type; 635attribute privfd; 636attribute can_change_process_identity; 637attribute can_change_process_role; 638attribute can_change_object_identity; 639attribute can_system_change; 640attribute process_user_target; 641attribute cron_source_domain; 642attribute cron_job_domain; 643attribute process_uncond_exempt; # add userhelperdomain to this one 644attribute file_type; 645attribute lockfile; 646attribute mountpoint; 647attribute pidfile; 648attribute polydir; 649attribute usercanread; 650attribute polyparent; 651attribute polymember; 652attribute security_file_type; 653attribute tmpfile; 654attribute tmpfsfile; 655attribute filesystem_type; 656attribute noxattrfs; 657attribute can_load_kernmodule; 658attribute can_receive_kernel_messages; 659attribute kern_unconfined; 660attribute proc_type; 661attribute sysctl_type; 662attribute mcskillall; 663attribute mlsfileread; 664attribute mlsfilereadtoclr; 665attribute mlsfilewrite; 666attribute mlsfilewritetoclr; 667attribute mlsfileupgrade; 668attribute mlsfiledowngrade; 669attribute mlsnetread; 670attribute mlsnetreadtoclr; 671attribute mlsnetwrite; 672attribute mlsnetwritetoclr; 673attribute mlsnetupgrade; 674attribute mlsnetdowngrade; 675attribute mlsnetrecvall; 676attribute mlsipcread; 677attribute mlsipcreadtoclr; 678attribute mlsipcwrite; 679attribute mlsipcwritetoclr; 680attribute mlsprocread; 681attribute mlsprocreadtoclr; 682attribute mlsprocwrite; 683attribute mlsprocwritetoclr; 684attribute mlsprocsetsl; 685attribute mlsxwinread; 686attribute mlsxwinreadtoclr; 687attribute mlsxwinwrite; 688attribute mlsxwinwritetoclr; 689attribute mlsxwinreadproperty; 690attribute mlsxwinwriteproperty; 691attribute mlsxwinreadcolormap; 692attribute mlsxwinwritecolormap; 693attribute mlsxwinwritexinput; 694attribute mlstrustedobject; 695attribute privrangetrans; 696attribute mlsrangetrans; 697attribute can_load_policy; 698attribute can_setenforce; 699attribute can_setsecparam; 700attribute ttynode; 701attribute ptynode; 702attribute server_ptynode; 703attribute serial_device; 704type bin_t; 705type sbin_t; 706type ls_exec_t; 707type shell_exec_t; 708type chroot_exec_t; 709type ppp_device_t; 710type tun_tap_device_t; 711type port_t, port_type; 712type reserved_port_t, port_type, reserved_port_type; 713type afs_bos_port_t, port_type; 714type afs_fs_port_t, port_type; 715type afs_ka_port_t, port_type; 716type afs_pt_port_t, port_type; 717type afs_vl_port_t, port_type; 718type amanda_port_t, port_type; 719type amavisd_recv_port_t, port_type; 720type amavisd_send_port_t, port_type; 721type asterisk_port_t, port_type; 722type auth_port_t, port_type; 723type bgp_port_t, port_type; 724type biff_port_t, port_type, reserved_port_type; 725type clamd_port_t, port_type; 726type clockspeed_port_t, port_type; 727type comsat_port_t, port_type; 728type cvs_port_t, port_type; 729type dcc_port_t, port_type; 730type dbskkd_port_t, port_type; 731type dhcpc_port_t, port_type; 732type dhcpd_port_t, port_type; 733type dict_port_t, port_type; 734type distccd_port_t, port_type; 735type dns_port_t, port_type; 736type fingerd_port_t, port_type; 737type ftp_data_port_t, port_type; 738type ftp_port_t, port_type; 739type gatekeeper_port_t, port_type; 740type giftd_port_t, port_type; 741type gopher_port_t, port_type; 742type http_cache_port_t, port_type; 743type http_port_t, port_type; 744type howl_port_t, port_type; 745type hplip_port_t, port_type; 746type i18n_input_port_t, port_type; 747type imaze_port_t, port_type; 748type inetd_child_port_t, port_type; 749type innd_port_t, port_type; 750type ipp_port_t, port_type; 751type ircd_port_t, port_type; 752type isakmp_port_t, port_type; 753type jabber_client_port_t, port_type; 754type jabber_interserver_port_t, port_type; 755type kerberos_admin_port_t, port_type; 756type kerberos_master_port_t, port_type; 757type kerberos_port_t, port_type; 758type ktalkd_port_t, port_type; 759type ldap_port_t, port_type; 760type lrrd_port_t, port_type; 761type mail_port_t, port_type; 762type monopd_port_t, port_type; 763type mysqld_port_t, port_type; 764type nessus_port_t, port_type; 765type nmbd_port_t, port_type; 766type ntp_port_t, port_type; 767type openvpn_port_t, port_type; 768type pegasus_http_port_t, port_type; 769type pegasus_https_port_t, port_type; 770type pop_port_t, port_type; 771type portmap_port_t, port_type; 772type postgresql_port_t, port_type; 773type postgrey_port_t, port_type; 774type printer_port_t, port_type; 775type ptal_port_t, port_type; 776type pxe_port_t, port_type; 777type pyzor_port_t, port_type; 778type radacct_port_t, port_type; 779type radius_port_t, port_type; 780type razor_port_t, port_type; 781type rlogind_port_t, port_type; 782type rndc_port_t, port_type; 783type router_port_t, port_type; 784type rsh_port_t, port_type; 785type rsync_port_t, port_type; 786type smbd_port_t, port_type; 787type smtp_port_t, port_type; 788type snmp_port_t, port_type; 789type spamd_port_t, port_type; 790type ssh_port_t, port_type; 791type soundd_port_t, port_type; 792type socks_port_t, port_type; type stunnel_port_t, port_type; 793type swat_port_t, port_type; 794type syslogd_port_t, port_type; 795type telnetd_port_t, port_type; 796type tftp_port_t, port_type; 797type transproxy_port_t, port_type; 798type utcpserver_port_t, port_type; 799type uucpd_port_t, port_type; 800type vnc_port_t, port_type; 801type xserver_port_t, port_type; 802type xen_port_t, port_type; 803type zebra_port_t, port_type; 804type zope_port_t, port_type; 805type node_t, node_type; 806type compat_ipv4_node_t alias node_compat_ipv4_t, node_type; 807type inaddr_any_node_t alias node_inaddr_any_t, node_type; 808type node_internal_t, node_type; 809type link_local_node_t alias node_link_local_t, node_type; 810type lo_node_t alias node_lo_t, node_type; 811type mapped_ipv4_node_t alias node_mapped_ipv4_t, node_type; 812type multicast_node_t alias node_multicast_t, node_type; 813type site_local_node_t alias node_site_local_t, node_type; 814type unspec_node_t alias node_unspec_t, node_type; 815type netif_t, netif_type; 816type device_t; 817type agp_device_t; 818type apm_bios_t; 819type cardmgr_dev_t; 820type clock_device_t; 821type cpu_device_t; 822type crypt_device_t; 823type dri_device_t; 824type event_device_t; 825type framebuf_device_t; 826type lvm_control_t; 827type memory_device_t; 828type misc_device_t; 829type mouse_device_t; 830type mtrr_device_t; 831type null_device_t; 832type power_device_t; 833type printer_device_t; 834type random_device_t; 835type scanner_device_t; 836type sound_device_t; 837type sysfs_t; 838type urandom_device_t; 839type usbfs_t alias usbdevfs_t; 840type usb_device_t; 841type v4l_device_t; 842type xserver_misc_device_t; 843type zero_device_t; 844type xconsole_device_t; 845type devfs_control_t; 846type boot_t; 847type default_t, file_type, mountpoint; 848type etc_t, file_type; 849type etc_runtime_t, file_type; 850type file_t, file_type, mountpoint; 851type home_root_t, file_type, mountpoint; 852type lost_found_t, file_type; 853type mnt_t, file_type, mountpoint; 854type modules_object_t; 855type no_access_t, file_type; 856type poly_t, file_type; 857type readable_t, file_type; 858type root_t, file_type, mountpoint; 859type src_t, file_type, mountpoint; 860type system_map_t; 861type tmp_t, mountpoint; #, polydir 862type usr_t, file_type, mountpoint; 863type var_t, file_type, mountpoint; 864type var_lib_t, file_type, mountpoint; 865type var_lock_t, file_type, lockfile; 866type var_run_t, file_type, pidfile; 867type var_spool_t; 868type fs_t; 869type bdev_t; 870type binfmt_misc_fs_t; 871type capifs_t; 872type configfs_t; 873type eventpollfs_t; 874type futexfs_t; 875type hugetlbfs_t; 876type inotifyfs_t; 877type nfsd_fs_t; 878type ramfs_t; 879type romfs_t; 880type rpc_pipefs_t; 881type tmpfs_t; 882type autofs_t, noxattrfs; 883type cifs_t alias sambafs_t, noxattrfs; 884type dosfs_t, noxattrfs; 885type iso9660_t, filesystem_type, noxattrfs; 886type removable_t, noxattrfs; 887type nfs_t, filesystem_type, noxattrfs; 888type kernel_t, can_load_kernmodule; 889type debugfs_t; 890type proc_t, proc_type; 891type proc_kmsg_t, proc_type; 892type proc_kcore_t, proc_type; 893type proc_mdstat_t, proc_type; 894type proc_net_t, proc_type; 895type proc_xen_t, proc_type; 896type sysctl_t, sysctl_type; 897type sysctl_irq_t, sysctl_type; 898type sysctl_rpc_t, sysctl_type; 899type sysctl_fs_t, sysctl_type; 900type sysctl_kernel_t, sysctl_type; 901type sysctl_modprobe_t, sysctl_type; 902type sysctl_hotplug_t, sysctl_type; 903type sysctl_net_t, sysctl_type; 904type sysctl_net_unix_t, sysctl_type; 905type sysctl_vm_t, sysctl_type; 906type sysctl_dev_t, sysctl_type; 907type unlabeled_t; 908type auditd_exec_t; 909type crond_exec_t; 910type cupsd_exec_t; 911type getty_t; 912type init_t; 913type init_exec_t; 914type initrc_t; 915type initrc_exec_t; 916type login_exec_t; 917type sshd_exec_t; 918type su_exec_t; 919type udev_exec_t; 920type unconfined_t; 921type xdm_exec_t; 922type lvm_exec_t; 923type security_t; 924type bsdpty_device_t; 925type console_device_t; 926type devpts_t; 927type devtty_t; 928type ptmx_t; 929type tty_device_t, serial_device; 930type usbtty_device_t, serial_device; 931 bool secure_mode false; 932 bool secure_mode_insmod false; 933 bool secure_mode_policyload false; 934 bool allow_cvs_read_shadow false; 935 bool allow_execheap false; 936 bool allow_execmem true; 937 bool allow_execmod false; 938 bool allow_execstack true; 939 bool allow_ftpd_anon_write false; 940 bool allow_gssd_read_tmp true; 941 bool allow_httpd_anon_write false; 942 bool allow_java_execstack false; 943 bool allow_kerberos true; 944 bool allow_rsync_anon_write false; 945 bool allow_saslauthd_read_shadow false; 946 bool allow_smbd_anon_write false; 947 bool allow_ptrace false; 948 bool allow_ypbind false; 949 bool fcron_crond false; 950 bool ftp_home_dir false; 951 bool ftpd_is_daemon true; 952 bool httpd_builtin_scripting true; 953 bool httpd_can_network_connect false; 954 bool httpd_can_network_connect_db false; 955 bool httpd_can_network_relay false; 956 bool httpd_enable_cgi true; 957 bool httpd_enable_ftp_server false; 958 bool httpd_enable_homedirs true; 959 bool httpd_ssi_exec true; 960 bool httpd_tty_comm false; 961 bool httpd_unified true; 962 bool named_write_master_zones false; 963 bool nfs_export_all_rw true; 964 bool nfs_export_all_ro true; 965 bool pppd_can_insmod false; 966 bool read_default_t true; 967 bool run_ssh_inetd false; 968 bool samba_enable_home_dirs false; 969 bool spamassasin_can_network false; 970 bool squid_connect_any false; 971 bool ssh_sysadm_login false; 972 bool stunnel_is_daemon false; 973 bool use_nfs_home_dirs false; 974 bool use_samba_home_dirs false; 975 bool user_ping true; 976 bool spamd_enable_home_dirs true; 977 allow bin_t fs_t:filesystem associate; 978 allow bin_t noxattrfs:filesystem associate; 979 typeattribute bin_t file_type; 980 allow sbin_t fs_t:filesystem associate; 981 allow sbin_t noxattrfs:filesystem associate; 982 typeattribute sbin_t file_type; 983 allow ls_exec_t fs_t:filesystem associate; 984 allow ls_exec_t noxattrfs:filesystem associate; 985 typeattribute ls_exec_t file_type; 986typeattribute ls_exec_t entry_type; 987 allow shell_exec_t fs_t:filesystem associate; 988 allow shell_exec_t noxattrfs:filesystem associate; 989 typeattribute shell_exec_t file_type; 990 allow chroot_exec_t fs_t:filesystem associate; 991 allow chroot_exec_t noxattrfs:filesystem associate; 992 typeattribute chroot_exec_t file_type; 993 typeattribute ppp_device_t device_node; 994 allow ppp_device_t fs_t:filesystem associate; 995 allow ppp_device_t tmpfs_t:filesystem associate; 996 allow ppp_device_t tmp_t:filesystem associate; 997 typeattribute tun_tap_device_t device_node; 998 allow tun_tap_device_t fs_t:filesystem associate; 999 allow tun_tap_device_t tmpfs_t:filesystem associate; 1000 allow tun_tap_device_t tmp_t:filesystem associate; 1001typeattribute auth_port_t reserved_port_type; 1002typeattribute bgp_port_t reserved_port_type; 1003typeattribute bgp_port_t reserved_port_type; 1004typeattribute comsat_port_t reserved_port_type; 1005typeattribute dhcpc_port_t reserved_port_type; 1006typeattribute dhcpd_port_t reserved_port_type; 1007typeattribute dhcpd_port_t reserved_port_type; 1008typeattribute dhcpd_port_t reserved_port_type; 1009typeattribute dhcpd_port_t reserved_port_type; 1010typeattribute dhcpd_port_t reserved_port_type; 1011typeattribute dns_port_t reserved_port_type; 1012typeattribute dns_port_t reserved_port_type; 1013typeattribute fingerd_port_t reserved_port_type; 1014typeattribute ftp_data_port_t reserved_port_type; 1015typeattribute ftp_port_t reserved_port_type; 1016typeattribute gopher_port_t reserved_port_type; 1017typeattribute gopher_port_t reserved_port_type; 1018typeattribute http_port_t reserved_port_type; 1019typeattribute http_port_t reserved_port_type; 1020typeattribute http_port_t reserved_port_type; 1021typeattribute inetd_child_port_t reserved_port_type; 1022typeattribute inetd_child_port_t reserved_port_type; 1023typeattribute inetd_child_port_t reserved_port_type; 1024typeattribute inetd_child_port_t reserved_port_type; 1025typeattribute inetd_child_port_t reserved_port_type; 1026typeattribute inetd_child_port_t reserved_port_type; 1027typeattribute inetd_child_port_t reserved_port_type; 1028typeattribute inetd_child_port_t reserved_port_type; 1029typeattribute inetd_child_port_t reserved_port_type; 1030typeattribute inetd_child_port_t reserved_port_type; 1031typeattribute inetd_child_port_t reserved_port_type; 1032typeattribute inetd_child_port_t reserved_port_type; 1033typeattribute inetd_child_port_t reserved_port_type; 1034typeattribute inetd_child_port_t reserved_port_type; 1035typeattribute inetd_child_port_t reserved_port_type; 1036typeattribute inetd_child_port_t reserved_port_type; 1037typeattribute inetd_child_port_t reserved_port_type; 1038typeattribute innd_port_t reserved_port_type; 1039typeattribute ipp_port_t reserved_port_type; 1040typeattribute ipp_port_t reserved_port_type; 1041typeattribute isakmp_port_t reserved_port_type; 1042typeattribute kerberos_admin_port_t reserved_port_type; 1043typeattribute kerberos_admin_port_t reserved_port_type; 1044typeattribute kerberos_admin_port_t reserved_port_type; 1045typeattribute kerberos_port_t reserved_port_type; 1046typeattribute kerberos_port_t reserved_port_type; 1047typeattribute kerberos_port_t reserved_port_type; 1048typeattribute kerberos_port_t reserved_port_type; 1049typeattribute ktalkd_port_t reserved_port_type; 1050typeattribute ktalkd_port_t reserved_port_type; 1051typeattribute ldap_port_t reserved_port_type; 1052typeattribute ldap_port_t reserved_port_type; 1053typeattribute ldap_port_t reserved_port_type; 1054typeattribute ldap_port_t reserved_port_type; 1055typeattribute nmbd_port_t reserved_port_type; 1056typeattribute nmbd_port_t reserved_port_type; 1057typeattribute nmbd_port_t reserved_port_type; 1058typeattribute ntp_port_t reserved_port_type; 1059typeattribute pop_port_t reserved_port_type; 1060typeattribute pop_port_t reserved_port_type; 1061typeattribute pop_port_t reserved_port_type; 1062typeattribute pop_port_t reserved_port_type; 1063typeattribute pop_port_t reserved_port_type; 1064typeattribute pop_port_t reserved_port_type; 1065typeattribute pop_port_t reserved_port_type; 1066typeattribute portmap_port_t reserved_port_type; 1067typeattribute portmap_port_t reserved_port_type; 1068typeattribute printer_port_t reserved_port_type; 1069typeattribute rlogind_port_t reserved_port_type; 1070typeattribute rndc_port_t reserved_port_type; 1071typeattribute router_port_t reserved_port_type; 1072typeattribute rsh_port_t reserved_port_type; 1073typeattribute rsync_port_t reserved_port_type; 1074typeattribute rsync_port_t reserved_port_type; 1075typeattribute smbd_port_t reserved_port_type; 1076typeattribute smbd_port_t reserved_port_type; 1077typeattribute smtp_port_t reserved_port_type; 1078typeattribute smtp_port_t reserved_port_type; 1079typeattribute smtp_port_t reserved_port_type; 1080typeattribute snmp_port_t reserved_port_type; 1081typeattribute snmp_port_t reserved_port_type; 1082typeattribute snmp_port_t reserved_port_type; 1083typeattribute spamd_port_t reserved_port_type; 1084typeattribute ssh_port_t reserved_port_type; 1085typeattribute swat_port_t reserved_port_type; 1086typeattribute syslogd_port_t reserved_port_type; 1087typeattribute telnetd_port_t reserved_port_type; 1088typeattribute tftp_port_t reserved_port_type; 1089typeattribute uucpd_port_t reserved_port_type; 1090 allow device_t tmpfs_t:filesystem associate; 1091 allow device_t fs_t:filesystem associate; 1092 allow device_t noxattrfs:filesystem associate; 1093 typeattribute device_t file_type; 1094 allow device_t fs_t:filesystem associate; 1095 allow device_t noxattrfs:filesystem associate; 1096 typeattribute device_t file_type; 1097 typeattribute device_t mountpoint; 1098 allow device_t tmp_t:filesystem associate; 1099 typeattribute agp_device_t device_node; 1100 allow agp_device_t fs_t:filesystem associate; 1101 allow agp_device_t tmpfs_t:filesystem associate; 1102 allow agp_device_t tmp_t:filesystem associate; 1103 typeattribute apm_bios_t device_node; 1104 allow apm_bios_t fs_t:filesystem associate; 1105 allow apm_bios_t tmpfs_t:filesystem associate; 1106 allow apm_bios_t tmp_t:filesystem associate; 1107 typeattribute cardmgr_dev_t device_node; 1108 allow cardmgr_dev_t fs_t:filesystem associate; 1109 allow cardmgr_dev_t tmpfs_t:filesystem associate; 1110 allow cardmgr_dev_t tmp_t:filesystem associate; 1111 allow cardmgr_dev_t fs_t:filesystem associate; 1112 allow cardmgr_dev_t noxattrfs:filesystem associate; 1113 typeattribute cardmgr_dev_t file_type; 1114 allow cardmgr_dev_t fs_t:filesystem associate; 1115 allow cardmgr_dev_t noxattrfs:filesystem associate; 1116 typeattribute cardmgr_dev_t file_type; 1117 typeattribute cardmgr_dev_t polymember; 1118 allow cardmgr_dev_t tmpfs_t:filesystem associate; 1119 typeattribute cardmgr_dev_t tmpfile; 1120 allow cardmgr_dev_t tmp_t:filesystem associate; 1121 typeattribute clock_device_t device_node; 1122 allow clock_device_t fs_t:filesystem associate; 1123 allow clock_device_t tmpfs_t:filesystem associate; 1124 allow clock_device_t tmp_t:filesystem associate; 1125 typeattribute cpu_device_t device_node; 1126 allow cpu_device_t fs_t:filesystem associate; 1127 allow cpu_device_t tmpfs_t:filesystem associate; 1128 allow cpu_device_t tmp_t:filesystem associate; 1129 typeattribute crypt_device_t device_node; 1130 allow crypt_device_t fs_t:filesystem associate; 1131 allow crypt_device_t tmpfs_t:filesystem associate; 1132 allow crypt_device_t tmp_t:filesystem associate; 1133 typeattribute dri_device_t device_node; 1134 allow dri_device_t fs_t:filesystem associate; 1135 allow dri_device_t tmpfs_t:filesystem associate; 1136 allow dri_device_t tmp_t:filesystem associate; 1137 typeattribute event_device_t device_node; 1138 allow event_device_t fs_t:filesystem associate; 1139 allow event_device_t tmpfs_t:filesystem associate; 1140 allow event_device_t tmp_t:filesystem associate; 1141 typeattribute framebuf_device_t device_node; 1142 allow framebuf_device_t fs_t:filesystem associate; 1143 allow framebuf_device_t tmpfs_t:filesystem associate; 1144 allow framebuf_device_t tmp_t:filesystem associate; 1145 typeattribute lvm_control_t device_node; 1146 allow lvm_control_t fs_t:filesystem associate; 1147 allow lvm_control_t tmpfs_t:filesystem associate; 1148 allow lvm_control_t tmp_t:filesystem associate; 1149 typeattribute memory_device_t device_node; 1150 allow memory_device_t fs_t:filesystem associate; 1151 allow memory_device_t tmpfs_t:filesystem associate; 1152 allow memory_device_t tmp_t:filesystem associate; 1153neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; 1154neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; 1155 typeattribute misc_device_t device_node; 1156 allow misc_device_t fs_t:filesystem associate; 1157 allow misc_device_t tmpfs_t:filesystem associate; 1158 allow misc_device_t tmp_t:filesystem associate; 1159 typeattribute mouse_device_t device_node; 1160 allow mouse_device_t fs_t:filesystem associate; 1161 allow mouse_device_t tmpfs_t:filesystem associate; 1162 allow mouse_device_t tmp_t:filesystem associate; 1163 typeattribute mtrr_device_t device_node; 1164 allow mtrr_device_t fs_t:filesystem associate; 1165 allow mtrr_device_t tmpfs_t:filesystem associate; 1166 allow mtrr_device_t tmp_t:filesystem associate; 1167 typeattribute null_device_t device_node; 1168 allow null_device_t fs_t:filesystem associate; 1169 allow null_device_t tmpfs_t:filesystem associate; 1170 allow null_device_t tmp_t:filesystem associate; 1171 typeattribute null_device_t mlstrustedobject; 1172 typeattribute power_device_t device_node; 1173 allow power_device_t fs_t:filesystem associate; 1174 allow power_device_t tmpfs_t:filesystem associate; 1175 allow power_device_t tmp_t:filesystem associate; 1176 typeattribute printer_device_t device_node; 1177 allow printer_device_t fs_t:filesystem associate; 1178 allow printer_device_t tmpfs_t:filesystem associate; 1179 allow printer_device_t tmp_t:filesystem associate; 1180 typeattribute random_device_t device_node; 1181 allow random_device_t fs_t:filesystem associate; 1182 allow random_device_t tmpfs_t:filesystem associate; 1183 allow random_device_t tmp_t:filesystem associate; 1184 typeattribute scanner_device_t device_node; 1185 allow scanner_device_t fs_t:filesystem associate; 1186 allow scanner_device_t tmpfs_t:filesystem associate; 1187 allow scanner_device_t tmp_t:filesystem associate; 1188 typeattribute sound_device_t device_node; 1189 allow sound_device_t fs_t:filesystem associate; 1190 allow sound_device_t tmpfs_t:filesystem associate; 1191 allow sound_device_t tmp_t:filesystem associate; 1192 allow sysfs_t fs_t:filesystem associate; 1193 allow sysfs_t noxattrfs:filesystem associate; 1194 typeattribute sysfs_t file_type; 1195 typeattribute sysfs_t mountpoint; 1196 typeattribute sysfs_t filesystem_type; 1197 allow sysfs_t self:filesystem associate; 1198 typeattribute urandom_device_t device_node; 1199 allow urandom_device_t fs_t:filesystem associate; 1200 allow urandom_device_t tmpfs_t:filesystem associate; 1201 allow urandom_device_t tmp_t:filesystem associate; 1202 allow usbfs_t fs_t:filesystem associate; 1203 allow usbfs_t noxattrfs:filesystem associate; 1204 typeattribute usbfs_t file_type; 1205 typeattribute usbfs_t mountpoint; 1206 typeattribute usbfs_t filesystem_type; 1207 allow usbfs_t self:filesystem associate; 1208 typeattribute usbfs_t noxattrfs; 1209 typeattribute usb_device_t device_node; 1210 allow usb_device_t fs_t:filesystem associate; 1211 allow usb_device_t tmpfs_t:filesystem associate; 1212 allow usb_device_t tmp_t:filesystem associate; 1213 typeattribute v4l_device_t device_node; 1214 allow v4l_device_t fs_t:filesystem associate; 1215 allow v4l_device_t tmpfs_t:filesystem associate; 1216 allow v4l_device_t tmp_t:filesystem associate; 1217 typeattribute xserver_misc_device_t device_node; 1218 allow xserver_misc_device_t fs_t:filesystem associate; 1219 allow xserver_misc_device_t tmpfs_t:filesystem associate; 1220 allow xserver_misc_device_t tmp_t:filesystem associate; 1221 typeattribute zero_device_t device_node; 1222 allow zero_device_t fs_t:filesystem associate; 1223 allow zero_device_t tmpfs_t:filesystem associate; 1224 allow zero_device_t tmp_t:filesystem associate; 1225 typeattribute zero_device_t mlstrustedobject; 1226 allow xconsole_device_t fs_t:filesystem associate; 1227 allow xconsole_device_t noxattrfs:filesystem associate; 1228 typeattribute xconsole_device_t file_type; 1229 allow xconsole_device_t tmpfs_t:filesystem associate; 1230 allow xconsole_device_t tmp_t:filesystem associate; 1231 typeattribute devfs_control_t device_node; 1232 allow devfs_control_t fs_t:filesystem associate; 1233 allow devfs_control_t tmpfs_t:filesystem associate; 1234 allow devfs_control_t tmp_t:filesystem associate; 1235neverallow domain ~domain:process { transition dyntransition }; 1236neverallow { domain -set_curr_context } self:process setcurrent; 1237neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; 1238neverallow ~{ domain unlabeled_t } *:process *; 1239allow file_type self:filesystem associate; 1240 allow boot_t fs_t:filesystem associate; 1241 allow boot_t noxattrfs:filesystem associate; 1242 typeattribute boot_t file_type; 1243 allow boot_t fs_t:filesystem associate; 1244 allow boot_t noxattrfs:filesystem associate; 1245 typeattribute boot_t file_type; 1246 typeattribute boot_t mountpoint; 1247 allow default_t fs_t:filesystem associate; 1248 allow default_t noxattrfs:filesystem associate; 1249 allow etc_t fs_t:filesystem associate; 1250 allow etc_t noxattrfs:filesystem associate; 1251 allow etc_runtime_t fs_t:filesystem associate; 1252 allow etc_runtime_t noxattrfs:filesystem associate; 1253 allow file_t fs_t:filesystem associate; 1254 allow file_t noxattrfs:filesystem associate; 1255 allow kernel_t file_t:dir mounton; 1256 allow home_root_t fs_t:filesystem associate; 1257 allow home_root_t noxattrfs:filesystem associate; 1258 allow home_root_t fs_t:filesystem associate; 1259 allow home_root_t noxattrfs:filesystem associate; 1260 typeattribute home_root_t file_type; 1261 typeattribute home_root_t polyparent; 1262 allow lost_found_t fs_t:filesystem associate; 1263 allow lost_found_t noxattrfs:filesystem associate; 1264 allow mnt_t fs_t:filesystem associate; 1265 allow mnt_t noxattrfs:filesystem associate; 1266 allow modules_object_t fs_t:filesystem associate; 1267 allow modules_object_t noxattrfs:filesystem associate; 1268 typeattribute modules_object_t file_type; 1269 allow no_access_t fs_t:filesystem associate; 1270 allow no_access_t noxattrfs:filesystem associate; 1271 allow poly_t fs_t:filesystem associate; 1272 allow poly_t noxattrfs:filesystem associate; 1273 allow readable_t fs_t:filesystem associate; 1274 allow readable_t noxattrfs:filesystem associate; 1275 allow root_t fs_t:filesystem associate; 1276 allow root_t noxattrfs:filesystem associate; 1277 allow root_t fs_t:filesystem associate; 1278 allow root_t noxattrfs:filesystem associate; 1279 typeattribute root_t file_type; 1280 typeattribute root_t polyparent; 1281 allow kernel_t root_t:dir mounton; 1282 allow src_t fs_t:filesystem associate; 1283 allow src_t noxattrfs:filesystem associate; 1284 allow system_map_t fs_t:filesystem associate; 1285 allow system_map_t noxattrfs:filesystem associate; 1286 typeattribute system_map_t file_type; 1287 allow tmp_t fs_t:filesystem associate; 1288 allow tmp_t noxattrfs:filesystem associate; 1289 typeattribute tmp_t file_type; 1290 allow tmp_t fs_t:filesystem associate; 1291 allow tmp_t noxattrfs:filesystem associate; 1292 typeattribute tmp_t file_type; 1293 typeattribute tmp_t polymember; 1294 allow tmp_t tmpfs_t:filesystem associate; 1295 typeattribute tmp_t tmpfile; 1296 allow tmp_t tmp_t:filesystem associate; 1297 allow tmp_t fs_t:filesystem associate; 1298 allow tmp_t noxattrfs:filesystem associate; 1299 typeattribute tmp_t file_type; 1300 typeattribute tmp_t polyparent; 1301 allow usr_t fs_t:filesystem associate; 1302 allow usr_t noxattrfs:filesystem associate; 1303 allow var_t fs_t:filesystem associate; 1304 allow var_t noxattrfs:filesystem associate; 1305 allow var_lib_t fs_t:filesystem associate; 1306 allow var_lib_t noxattrfs:filesystem associate; 1307 allow var_lock_t fs_t:filesystem associate; 1308 allow var_lock_t noxattrfs:filesystem associate; 1309 allow var_run_t fs_t:filesystem associate; 1310 allow var_run_t noxattrfs:filesystem associate; 1311 allow var_spool_t fs_t:filesystem associate; 1312 allow var_spool_t noxattrfs:filesystem associate; 1313 typeattribute var_spool_t file_type; 1314 allow var_spool_t fs_t:filesystem associate; 1315 allow var_spool_t noxattrfs:filesystem associate; 1316 typeattribute var_spool_t file_type; 1317 typeattribute var_spool_t polymember; 1318 allow var_spool_t tmpfs_t:filesystem associate; 1319 typeattribute var_spool_t tmpfile; 1320 allow var_spool_t tmp_t:filesystem associate; 1321 typeattribute fs_t filesystem_type; 1322 allow fs_t self:filesystem associate; 1323 typeattribute bdev_t filesystem_type; 1324 allow bdev_t self:filesystem associate; 1325 typeattribute binfmt_misc_fs_t filesystem_type; 1326 allow binfmt_misc_fs_t self:filesystem associate; 1327 allow binfmt_misc_fs_t fs_t:filesystem associate; 1328 allow binfmt_misc_fs_t noxattrfs:filesystem associate; 1329 typeattribute binfmt_misc_fs_t file_type; 1330 typeattribute binfmt_misc_fs_t mountpoint; 1331 typeattribute capifs_t filesystem_type; 1332 allow capifs_t self:filesystem associate; 1333 typeattribute configfs_t filesystem_type; 1334 allow configfs_t self:filesystem associate; 1335 typeattribute eventpollfs_t filesystem_type; 1336 allow eventpollfs_t self:filesystem associate; 1337 typeattribute futexfs_t filesystem_type; 1338 allow futexfs_t self:filesystem associate; 1339 typeattribute hugetlbfs_t filesystem_type; 1340 allow hugetlbfs_t self:filesystem associate; 1341 allow hugetlbfs_t fs_t:filesystem associate; 1342 allow hugetlbfs_t noxattrfs:filesystem associate; 1343 typeattribute hugetlbfs_t file_type; 1344 typeattribute hugetlbfs_t mountpoint; 1345 typeattribute inotifyfs_t filesystem_type; 1346 allow inotifyfs_t self:filesystem associate; 1347 typeattribute nfsd_fs_t filesystem_type; 1348 allow nfsd_fs_t self:filesystem associate; 1349 typeattribute ramfs_t filesystem_type; 1350 allow ramfs_t self:filesystem associate; 1351 typeattribute romfs_t filesystem_type; 1352 allow romfs_t self:filesystem associate; 1353 typeattribute rpc_pipefs_t filesystem_type; 1354 allow rpc_pipefs_t self:filesystem associate; 1355 typeattribute tmpfs_t filesystem_type; 1356 allow tmpfs_t self:filesystem associate; 1357 allow tmpfs_t fs_t:filesystem associate; 1358 allow tmpfs_t noxattrfs:filesystem associate; 1359 typeattribute tmpfs_t file_type; 1360 allow tmpfs_t fs_t:filesystem associate; 1361 allow tmpfs_t noxattrfs:filesystem associate; 1362 typeattribute tmpfs_t file_type; 1363 typeattribute tmpfs_t mountpoint; 1364allow tmpfs_t noxattrfs:filesystem associate; 1365 typeattribute autofs_t filesystem_type; 1366 allow autofs_t self:filesystem associate; 1367 allow autofs_t fs_t:filesystem associate; 1368 allow autofs_t noxattrfs:filesystem associate; 1369 typeattribute autofs_t file_type; 1370 typeattribute autofs_t mountpoint; 1371 typeattribute cifs_t filesystem_type; 1372 allow cifs_t self:filesystem associate; 1373 typeattribute dosfs_t filesystem_type; 1374 allow dosfs_t self:filesystem associate; 1375allow dosfs_t fs_t:filesystem associate; 1376 typeattribute iso9660_t filesystem_type; 1377 allow iso9660_t self:filesystem associate; 1378allow removable_t noxattrfs:filesystem associate; 1379 typeattribute removable_t filesystem_type; 1380 allow removable_t self:filesystem associate; 1381 allow removable_t fs_t:filesystem associate; 1382 allow removable_t noxattrfs:filesystem associate; 1383 typeattribute removable_t file_type; 1384 typeattribute removable_t usercanread; 1385 typeattribute nfs_t filesystem_type; 1386 allow nfs_t self:filesystem associate; 1387 allow nfs_t fs_t:filesystem associate; 1388 allow nfs_t noxattrfs:filesystem associate; 1389 typeattribute nfs_t file_type; 1390 typeattribute nfs_t mountpoint; 1391neverallow ~can_load_kernmodule self:capability sys_module; 1392role system_r; 1393role sysadm_r; 1394role staff_r; 1395role user_r; 1396role secadm_r; 1397 typeattribute kernel_t domain; 1398 allow kernel_t self:dir { read getattr lock search ioctl }; 1399 allow kernel_t self:lnk_file { read getattr lock ioctl }; 1400 allow kernel_t self:file { getattr read write append ioctl lock }; 1401 allow kernel_t self:process { fork sigchld }; 1402 role secadm_r types kernel_t; 1403 role sysadm_r types kernel_t; 1404 role user_r types kernel_t; 1405 role staff_r types kernel_t; 1406 typeattribute kernel_t privrangetrans; 1407role system_r types kernel_t; 1408 typeattribute debugfs_t filesystem_type; 1409 allow debugfs_t self:filesystem associate; 1410allow debugfs_t self:filesystem associate; 1411 allow proc_t fs_t:filesystem associate; 1412 allow proc_t noxattrfs:filesystem associate; 1413 typeattribute proc_t file_type; 1414 typeattribute proc_t mountpoint; 1415 typeattribute proc_t filesystem_type; 1416 allow proc_t self:filesystem associate; 1417neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; 1418neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr; 1419 allow sysctl_t fs_t:filesystem associate; 1420 allow sysctl_t noxattrfs:filesystem associate; 1421 typeattribute sysctl_t file_type; 1422 typeattribute sysctl_t mountpoint; 1423 allow sysctl_fs_t fs_t:filesystem associate; 1424 allow sysctl_fs_t noxattrfs:filesystem associate; 1425 typeattribute sysctl_fs_t file_type; 1426 typeattribute sysctl_fs_t mountpoint; 1427allow kernel_t self:capability *; 1428allow kernel_t unlabeled_t:dir mounton; 1429allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; 1430allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; 1431allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; 1432allow kernel_t self:msg { send receive }; 1433allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; 1434allow kernel_t self:unix_dgram_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } }; 1435allow kernel_t self:unix_stream_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } listen accept }; 1436allow kernel_t self:unix_dgram_socket sendto; 1437allow kernel_t self:unix_stream_socket connectto; 1438allow kernel_t self:fifo_file { getattr read write append ioctl lock }; 1439allow kernel_t self:sock_file { read getattr lock ioctl }; 1440allow kernel_t self:fd use; 1441allow kernel_t proc_t:dir { read getattr lock search ioctl }; 1442allow kernel_t proc_t:{ lnk_file file } { read getattr lock ioctl }; 1443allow kernel_t proc_net_t:dir { read getattr lock search ioctl }; 1444allow kernel_t proc_net_t:file { read getattr lock ioctl }; 1445allow kernel_t proc_mdstat_t:file { read getattr lock ioctl }; 1446allow kernel_t proc_kcore_t:file getattr; 1447allow kernel_t proc_kmsg_t:file getattr; 1448allow kernel_t sysctl_t:dir { read getattr lock search ioctl }; 1449allow kernel_t sysctl_kernel_t:dir { read getattr lock search ioctl }; 1450allow kernel_t sysctl_kernel_t:file { read getattr lock ioctl }; 1451allow kernel_t unlabeled_t:fifo_file { getattr read write append ioctl lock }; 1452 allow kernel_t unlabeled_t:association { sendto recvfrom }; 1453 allow kernel_t netif_type:netif rawip_send; 1454 allow kernel_t netif_type:netif rawip_recv; 1455 allow kernel_t node_type:node rawip_send; 1456 allow kernel_t node_type:node rawip_recv; 1457 allow kernel_t netif_t:netif rawip_send; 1458 allow kernel_t netif_type:netif { tcp_send tcp_recv }; 1459 allow kernel_t node_type:node { tcp_send tcp_recv }; 1460 allow kernel_t node_t:node rawip_send; 1461 allow kernel_t multicast_node_t:node rawip_send; 1462 allow kernel_t sysfs_t:dir { read getattr lock search ioctl }; 1463 allow kernel_t sysfs_t:{ file lnk_file } { read getattr lock ioctl }; 1464 allow kernel_t usbfs_t:dir search; 1465 allow kernel_t filesystem_type:filesystem mount; 1466 allow kernel_t security_t:dir { read search getattr }; 1467 allow kernel_t security_t:file { getattr read write }; 1468 typeattribute kernel_t can_load_policy; 1469 if(!secure_mode_policyload) { 1470 allow kernel_t security_t:security load_policy; 1471 auditallow kernel_t security_t:security load_policy; 1472 } 1473 allow kernel_t device_t:dir { read getattr lock search ioctl }; 1474 allow kernel_t device_t:lnk_file { getattr read }; 1475 allow kernel_t console_device_t:chr_file { getattr read write append ioctl lock }; 1476 allow kernel_t bin_t:dir { read getattr lock search ioctl }; 1477 allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; 1478 allow kernel_t shell_exec_t:file { { read getattr lock execute ioctl } execute_no_trans }; 1479 allow kernel_t sbin_t:dir { read getattr lock search ioctl }; 1480 allow kernel_t bin_t:dir { read getattr lock search ioctl }; 1481 allow kernel_t bin_t:lnk_file { read getattr lock ioctl }; 1482 allow kernel_t bin_t:file { { read getattr lock execute ioctl } execute_no_trans }; 1483 allow kernel_t domain:process signal; 1484 allow kernel_t proc_t:dir search; 1485 allow kernel_t domain:dir search; 1486 allow kernel_t root_t:dir { read getattr lock search ioctl }; 1487 allow kernel_t root_t:lnk_file { read getattr lock ioctl }; 1488 allow kernel_t etc_t:dir { read getattr lock search ioctl }; 1489 allow kernel_t home_root_t:dir { read getattr lock search ioctl }; 1490 allow kernel_t usr_t:dir { read getattr lock search ioctl }; 1491 allow kernel_t usr_t:{ file lnk_file } { read getattr lock ioctl }; 1492 typeattribute kernel_t mlsprocread; 1493 typeattribute kernel_t mlsprocwrite; 1494 allow kernel_t self:capability *; 1495 allow kernel_t self:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; 1496 allow kernel_t self:process transition; 1497 allow kernel_t self:file { getattr read write append ioctl lock }; 1498 allow kernel_t self:nscd *; 1499 allow kernel_t self:dbus *; 1500 allow kernel_t self:passwd *; 1501 allow kernel_t proc_type:{ dir file } *; 1502 allow kernel_t sysctl_t:{ dir file } *; 1503 allow kernel_t kernel_t:system *; 1504 allow kernel_t unlabeled_t:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; 1505 allow kernel_t unlabeled_t:filesystem *; 1506 allow kernel_t unlabeled_t:association *; 1507 typeattribute kernel_t can_load_kernmodule, can_receive_kernel_messages; 1508 typeattribute kernel_t kern_unconfined; 1509 allow kernel_t { proc_t proc_net_t }:dir search; 1510 allow kernel_t sysctl_type:dir { read getattr lock search ioctl }; 1511 allow kernel_t sysctl_type:file { { getattr read write append ioctl lock } setattr }; 1512 allow kernel_t node_type:node *; 1513 allow kernel_t netif_type:netif *; 1514 allow kernel_t port_type:tcp_socket { send_msg recv_msg name_connect }; 1515 allow kernel_t port_type:udp_socket { send_msg recv_msg }; 1516 allow kernel_t port_type:{ tcp_socket udp_socket rawip_socket } name_bind; 1517 allow kernel_t node_type:{ tcp_socket udp_socket rawip_socket } node_bind; 1518 allow kernel_t unlabeled_t:association { sendto recvfrom }; 1519 allow kernel_t device_node:{ chr_file blk_file } *; 1520 allow kernel_t mtrr_device_t:{ dir file } *; 1521 allow kernel_t self:capability sys_rawio; 1522 typeattribute kernel_t memory_raw_write, memory_raw_read; 1523 typeattribute kernel_t unconfined_domain_type; 1524 typeattribute kernel_t can_change_process_identity; 1525 typeattribute kernel_t can_change_process_role; 1526 typeattribute kernel_t can_change_object_identity; 1527 typeattribute kernel_t set_curr_context; 1528 allow kernel_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } socket key_socket } *; 1529 allow kernel_t domain:fd use; 1530 allow kernel_t domain:fifo_file { getattr read write append ioctl lock }; 1531 allow kernel_t domain:process ~{ transition dyntransition execmem execstack execheap }; 1532 allow kernel_t domain:{ sem msgq shm } *; 1533 allow kernel_t domain:msg { send receive }; 1534 allow kernel_t domain:dir { read getattr lock search ioctl }; 1535 allow kernel_t domain:file { read getattr lock ioctl }; 1536 allow kernel_t domain:lnk_file { read getattr lock ioctl }; 1537 dontaudit kernel_t domain:dir { read getattr lock search ioctl }; 1538 dontaudit kernel_t domain:lnk_file { read getattr lock ioctl }; 1539 dontaudit kernel_t domain:file { read getattr lock ioctl }; 1540 dontaudit kernel_t domain:sock_file { read getattr lock ioctl }; 1541 dontaudit kernel_t domain:fifo_file { read getattr lock ioctl }; 1542 allow kernel_t file_type:{ file chr_file } ~execmod; 1543 allow kernel_t file_type:{ dir lnk_file sock_file fifo_file blk_file } *; 1544 allow kernel_t file_type:filesystem *; 1545 allow kernel_t file_type:{ unix_stream_socket unix_dgram_socket } name_bind; 1546 if (allow_execmod) { 1547 allow kernel_t file_type:file execmod; 1548 } 1549 allow kernel_t filesystem_type:filesystem *; 1550 allow kernel_t filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; 1551 allow kernel_t security_t:dir { getattr search read }; 1552 allow kernel_t security_t:file { getattr read write }; 1553 typeattribute kernel_t can_load_policy, can_setenforce, can_setsecparam; 1554 if(!secure_mode_policyload) { 1555 allow kernel_t security_t:security *; 1556 auditallow kernel_t security_t:security { load_policy setenforce setbool }; 1557 } 1558 if (allow_execheap) { 1559 allow kernel_t self:process execheap; 1560 } 1561 if (allow_execmem) { 1562 allow kernel_t self:process execmem; 1563 } 1564 if (allow_execmem && allow_execstack) { 1565 allow kernel_t self:process execstack; 1566 auditallow kernel_t self:process execstack; 1567 } else { 1568 } 1569 if (allow_execheap) { 1570 auditallow kernel_t self:process execheap; 1571 } 1572 if (allow_execmem) { 1573 auditallow kernel_t self:process execmem; 1574 } 1575 if (read_default_t) { 1576 allow kernel_t default_t:dir { read getattr lock search ioctl }; 1577 allow kernel_t default_t:file { read getattr lock ioctl }; 1578 allow kernel_t default_t:lnk_file { read getattr lock ioctl }; 1579 allow kernel_t default_t:sock_file { read getattr lock ioctl }; 1580 allow kernel_t default_t:fifo_file { read getattr lock ioctl }; 1581 } 1582 allow unlabeled_t self:filesystem associate; 1583range_transition getty_t login_exec_t s0 - s0:c0.c255; 1584range_transition init_t xdm_exec_t s0 - s0:c0.c255; 1585range_transition initrc_t crond_exec_t s0 - s0:c0.c255; 1586range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; 1587range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; 1588range_transition initrc_t udev_exec_t s0 - s0:c0.c255; 1589range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; 1590range_transition kernel_t udev_exec_t s0 - s0:c0.c255; 1591range_transition unconfined_t su_exec_t s0 - s0:c0.c255; 1592range_transition unconfined_t initrc_exec_t s0; 1593 typeattribute security_t filesystem_type; 1594 allow security_t self:filesystem associate; 1595 typeattribute security_t mlstrustedobject; 1596neverallow ~can_load_policy security_t:security load_policy; 1597neverallow ~can_setenforce security_t:security setenforce; 1598neverallow ~can_setsecparam security_t:security setsecparam; 1599 typeattribute bsdpty_device_t device_node; 1600 allow bsdpty_device_t fs_t:filesystem associate; 1601 allow bsdpty_device_t tmpfs_t:filesystem associate; 1602 allow bsdpty_device_t tmp_t:filesystem associate; 1603 typeattribute console_device_t device_node; 1604 allow console_device_t fs_t:filesystem associate; 1605 allow console_device_t tmpfs_t:filesystem associate; 1606 allow console_device_t tmp_t:filesystem associate; 1607 allow devpts_t fs_t:filesystem associate; 1608 allow devpts_t noxattrfs:filesystem associate; 1609 typeattribute devpts_t file_type; 1610 typeattribute devpts_t mountpoint; 1611 allow devpts_t tmpfs_t:filesystem associate; 1612 allow devpts_t tmp_t:filesystem associate; 1613 typeattribute devpts_t filesystem_type; 1614 allow devpts_t self:filesystem associate; 1615 typeattribute devpts_t ttynode, ptynode; 1616 typeattribute devtty_t device_node; 1617 allow devtty_t fs_t:filesystem associate; 1618 allow devtty_t tmpfs_t:filesystem associate; 1619 allow devtty_t tmp_t:filesystem associate; 1620 typeattribute devtty_t mlstrustedobject; 1621 typeattribute ptmx_t device_node; 1622 allow ptmx_t fs_t:filesystem associate; 1623 allow ptmx_t tmpfs_t:filesystem associate; 1624 allow ptmx_t tmp_t:filesystem associate; 1625 typeattribute ptmx_t mlstrustedobject; 1626 typeattribute tty_device_t device_node; 1627 allow tty_device_t fs_t:filesystem associate; 1628 allow tty_device_t tmpfs_t:filesystem associate; 1629 allow tty_device_t tmp_t:filesystem associate; 1630 typeattribute tty_device_t ttynode; 1631 typeattribute usbtty_device_t device_node; 1632 allow usbtty_device_t fs_t:filesystem associate; 1633 allow usbtty_device_t tmpfs_t:filesystem associate; 1634 allow usbtty_device_t tmp_t:filesystem associate; 1635user system_u roles { system_r } level s0 range s0 - s0:c0.c255; 1636user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; 1637 user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255; 1638constrain process transition 1639 ( u1 == u2 1640 or t1 == can_change_process_identity 1641); 1642constrain process transition 1643 ( r1 == r2 1644 or t1 == can_change_process_role 1645); 1646constrain process dyntransition 1647 ( u1 == u2 and r1 == r2 ); 1648constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create relabelto relabelfrom } 1649 ( u1 == u2 or t1 == can_change_object_identity ); 1650constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } { create relabelto relabelfrom } 1651 ( u1 == u2 or t1 == can_change_object_identity ); 1652sid port system_u:object_r:port_t:s0 1653sid node system_u:object_r:node_t:s0 1654sid netif system_u:object_r:netif_t:s0 1655sid devnull system_u:object_r:null_device_t:s0 1656sid file system_u:object_r:file_t:s0 1657sid fs system_u:object_r:fs_t:s0 1658sid kernel system_u:system_r:kernel_t:s0 1659sid sysctl system_u:object_r:sysctl_t:s0 1660sid unlabeled system_u:object_r:unlabeled_t:s0 1661sid any_socket system_u:object_r:unlabeled_t:s0 1662sid file_labels system_u:object_r:unlabeled_t:s0 1663sid icmp_socket system_u:object_r:unlabeled_t:s0 1664sid igmp_packet system_u:object_r:unlabeled_t:s0 1665sid init system_u:object_r:unlabeled_t:s0 1666sid kmod system_u:object_r:unlabeled_t:s0 1667sid netmsg system_u:object_r:unlabeled_t:s0 1668sid policy system_u:object_r:unlabeled_t:s0 1669sid scmp_packet system_u:object_r:unlabeled_t:s0 1670sid sysctl_modprobe system_u:object_r:unlabeled_t:s0 1671sid sysctl_fs system_u:object_r:unlabeled_t:s0 1672sid sysctl_kernel system_u:object_r:unlabeled_t:s0 1673sid sysctl_net system_u:object_r:unlabeled_t:s0 1674sid sysctl_net_unix system_u:object_r:unlabeled_t:s0 1675sid sysctl_vm system_u:object_r:unlabeled_t:s0 1676sid sysctl_dev system_u:object_r:unlabeled_t:s0 1677sid tcp_socket system_u:object_r:unlabeled_t:s0 1678sid security system_u:object_r:security_t:s0 1679fs_use_xattr ext2 system_u:object_r:fs_t:s0; 1680fs_use_xattr ext3 system_u:object_r:fs_t:s0; 1681fs_use_xattr gfs system_u:object_r:fs_t:s0; 1682fs_use_xattr jfs system_u:object_r:fs_t:s0; 1683fs_use_xattr reiserfs system_u:object_r:fs_t:s0; 1684fs_use_xattr xfs system_u:object_r:fs_t:s0; 1685fs_use_task pipefs system_u:object_r:fs_t:s0; 1686fs_use_task sockfs system_u:object_r:fs_t:s0; 1687fs_use_trans mqueue system_u:object_r:tmpfs_t:s0; 1688fs_use_trans shm system_u:object_r:tmpfs_t:s0; 1689fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0; 1690fs_use_trans devpts system_u:object_r:devpts_t:s0; 1691genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 1692genfscon sysfs / system_u:object_r:sysfs_t:s0 1693genfscon usbfs / system_u:object_r:usbfs_t:s0 1694genfscon usbdevfs / system_u:object_r:usbfs_t:s0 1695genfscon rootfs / system_u:object_r:root_t:s0 1696genfscon bdev / system_u:object_r:bdev_t:s0 1697genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 1698genfscon capifs / system_u:object_r:capifs_t:s0 1699genfscon configfs / system_u:object_r:configfs_t:s0 1700genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 1701genfscon futexfs / system_u:object_r:futexfs_t:s0 1702genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 1703genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 1704genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 1705genfscon ramfs / system_u:object_r:ramfs_t:s0 1706genfscon romfs / system_u:object_r:romfs_t:s0 1707genfscon cramfs / system_u:object_r:romfs_t:s0 1708genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 1709genfscon autofs / system_u:object_r:autofs_t:s0 1710genfscon automount / system_u:object_r:autofs_t:s0 1711genfscon cifs / system_u:object_r:cifs_t:s0 1712genfscon smbfs / system_u:object_r:cifs_t:s0 1713genfscon fat / system_u:object_r:dosfs_t:s0 1714genfscon msdos / system_u:object_r:dosfs_t:s0 1715genfscon ntfs / system_u:object_r:dosfs_t:s0 1716genfscon vfat / system_u:object_r:dosfs_t:s0 1717genfscon iso9660 / system_u:object_r:iso9660_t:s0 1718genfscon udf / system_u:object_r:iso9660_t:s0 1719genfscon nfs / system_u:object_r:nfs_t:s0 1720genfscon nfs4 / system_u:object_r:nfs_t:s0 1721genfscon afs / system_u:object_r:nfs_t:s0 1722genfscon hfsplus / system_u:object_r:nfs_t:s0 1723genfscon debugfs / system_u:object_r:debugfs_t:s0 1724genfscon proc / system_u:object_r:proc_t:s0 1725genfscon proc /sysvipc system_u:object_r:proc_t:s0 1726genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0 1727genfscon proc /kcore system_u:object_r:proc_kcore_t:s0 1728genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 1729genfscon proc /net system_u:object_r:proc_net_t:s0 1730genfscon proc /xen system_u:object_r:proc_xen_t:s0 1731genfscon proc /sys system_u:object_r:sysctl_t:s0 1732genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 1733genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 1734genfscon proc /sys/fs system_u:object_r:sysctl_fs_t:s0 1735genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 1736genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 1737genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 1738genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 1739genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 1740genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 1741genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 1742genfscon selinuxfs / system_u:object_r:security_t:s0 1743portcon udp 7007 system_u:object_r:afs_bos_port_t:s0 1744portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0 1745portcon udp 7000 system_u:object_r:afs_fs_port_t:s0 1746portcon udp 7005 system_u:object_r:afs_fs_port_t:s0 1747portcon udp 7004 system_u:object_r:afs_ka_port_t:s0 1748portcon udp 7002 system_u:object_r:afs_pt_port_t:s0 1749portcon udp 7003 system_u:object_r:afs_vl_port_t:s0 1750portcon udp 10080 system_u:object_r:amanda_port_t:s0 1751portcon tcp 10080 system_u:object_r:amanda_port_t:s0 1752portcon udp 10081 system_u:object_r:amanda_port_t:s0 1753portcon tcp 10081 system_u:object_r:amanda_port_t:s0 1754portcon tcp 10082 system_u:object_r:amanda_port_t:s0 1755portcon tcp 10083 system_u:object_r:amanda_port_t:s0 1756portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0 1757portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0 1758portcon tcp 1720 system_u:object_r:asterisk_port_t:s0 1759portcon udp 2427 system_u:object_r:asterisk_port_t:s0 1760portcon udp 2727 system_u:object_r:asterisk_port_t:s0 1761portcon udp 4569 system_u:object_r:asterisk_port_t:s0 1762portcon udp 5060 system_u:object_r:asterisk_port_t:s0 1763portcon tcp 113 system_u:object_r:auth_port_t:s0 1764portcon tcp 179 system_u:object_r:bgp_port_t:s0 1765portcon udp 179 system_u:object_r:bgp_port_t:s0 1766portcon tcp 3310 system_u:object_r:clamd_port_t:s0 1767portcon udp 4041 system_u:object_r:clockspeed_port_t:s0 1768portcon udp 512 system_u:object_r:comsat_port_t:s0 1769portcon tcp 2401 system_u:object_r:cvs_port_t:s0 1770portcon udp 2401 system_u:object_r:cvs_port_t:s0 1771portcon udp 6276 system_u:object_r:dcc_port_t:s0 1772portcon udp 6277 system_u:object_r:dcc_port_t:s0 1773portcon tcp 1178 system_u:object_r:dbskkd_port_t:s0 1774portcon udp 68 system_u:object_r:dhcpc_port_t:s0 1775portcon udp 67 system_u:object_r:dhcpd_port_t:s0 1776portcon tcp 647 system_u:object_r:dhcpd_port_t:s0 1777portcon udp 647 system_u:object_r:dhcpd_port_t:s0 1778portcon tcp 847 system_u:object_r:dhcpd_port_t:s0 1779portcon udp 847 system_u:object_r:dhcpd_port_t:s0 1780portcon tcp 2628 system_u:object_r:dict_port_t:s0 1781portcon tcp 3632 system_u:object_r:distccd_port_t:s0 1782portcon udp 53 system_u:object_r:dns_port_t:s0 1783portcon tcp 53 system_u:object_r:dns_port_t:s0 1784portcon tcp 79 system_u:object_r:fingerd_port_t:s0 1785portcon tcp 20 system_u:object_r:ftp_data_port_t:s0 1786portcon tcp 21 system_u:object_r:ftp_port_t:s0 1787portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0 1788portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0 1789portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0 1790portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0 1791portcon tcp 1213 system_u:object_r:giftd_port_t:s0 1792portcon tcp 70 system_u:object_r:gopher_port_t:s0 1793portcon udp 70 system_u:object_r:gopher_port_t:s0 1794portcon tcp 3128 system_u:object_r:http_cache_port_t:s0 1795portcon udp 3130 system_u:object_r:http_cache_port_t:s0 1796portcon tcp 8080 system_u:object_r:http_cache_port_t:s0 1797portcon tcp 8118 system_u:object_r:http_cache_port_t:s0 1798portcon tcp 80 system_u:object_r:http_port_t:s0 1799portcon tcp 443 system_u:object_r:http_port_t:s0 1800portcon tcp 488 system_u:object_r:http_port_t:s0 1801portcon tcp 8008 system_u:object_r:http_port_t:s0 1802portcon tcp 9050 system_u:object_r:http_port_t:s0 1803portcon tcp 5335 system_u:object_r:howl_port_t:s0 1804portcon udp 5353 system_u:object_r:howl_port_t:s0 1805portcon tcp 50000 system_u:object_r:hplip_port_t:s0 1806portcon tcp 50002 system_u:object_r:hplip_port_t:s0 1807portcon tcp 9010 system_u:object_r:i18n_input_port_t:s0 1808portcon tcp 5323 system_u:object_r:imaze_port_t:s0 1809portcon udp 5323 system_u:object_r:imaze_port_t:s0 1810portcon tcp 7 system_u:object_r:inetd_child_port_t:s0 1811portcon udp 7 system_u:object_r:inetd_child_port_t:s0 1812portcon tcp 9 system_u:object_r:inetd_child_port_t:s0 1813portcon udp 9 system_u:object_r:inetd_child_port_t:s0 1814portcon tcp 13 system_u:object_r:inetd_child_port_t:s0 1815portcon udp 13 system_u:object_r:inetd_child_port_t:s0 1816portcon tcp 19 system_u:object_r:inetd_child_port_t:s0 1817portcon udp 19 system_u:object_r:inetd_child_port_t:s0 1818portcon tcp 37 system_u:object_r:inetd_child_port_t:s0 1819portcon udp 37 system_u:object_r:inetd_child_port_t:s0 1820portcon tcp 512 system_u:object_r:inetd_child_port_t:s0 1821portcon tcp 543 system_u:object_r:inetd_child_port_t:s0 1822portcon tcp 544 system_u:object_r:inetd_child_port_t:s0 1823portcon tcp 891 system_u:object_r:inetd_child_port_t:s0 1824portcon udp 891 system_u:object_r:inetd_child_port_t:s0 1825portcon tcp 892 system_u:object_r:inetd_child_port_t:s0 1826portcon udp 892 system_u:object_r:inetd_child_port_t:s0 1827portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0 1828portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0 1829portcon tcp 119 system_u:object_r:innd_port_t:s0 1830portcon tcp 631 system_u:object_r:ipp_port_t:s0 1831portcon udp 631 system_u:object_r:ipp_port_t:s0 1832portcon tcp 6667 system_u:object_r:ircd_port_t:s0 1833portcon udp 500 system_u:object_r:isakmp_port_t:s0 1834portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0 1835portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0 1836portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0 1837portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0 1838portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0 1839portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0 1840portcon tcp 4444 system_u:object_r:kerberos_master_port_t:s0 1841portcon udp 4444 system_u:object_r:kerberos_master_port_t:s0 1842portcon tcp 88 system_u:object_r:kerberos_port_t:s0 1843portcon udp 88 system_u:object_r:kerberos_port_t:s0 1844portcon tcp 750 system_u:object_r:kerberos_port_t:s0 1845portcon udp 750 system_u:object_r:kerberos_port_t:s0 1846portcon udp 517 system_u:object_r:ktalkd_port_t:s0 1847portcon udp 518 system_u:object_r:ktalkd_port_t:s0 1848portcon tcp 389 system_u:object_r:ldap_port_t:s0 1849portcon udp 389 system_u:object_r:ldap_port_t:s0 1850portcon tcp 636 system_u:object_r:ldap_port_t:s0 1851portcon udp 636 system_u:object_r:ldap_port_t:s0 1852portcon tcp 2000 system_u:object_r:mail_port_t:s0 1853portcon tcp 1234 system_u:object_r:monopd_port_t:s0 1854portcon tcp 3306 system_u:object_r:mysqld_port_t:s0 1855portcon tcp 1241 system_u:object_r:nessus_port_t:s0 1856portcon udp 137 system_u:object_r:nmbd_port_t:s0 1857portcon udp 138 system_u:object_r:nmbd_port_t:s0 1858portcon udp 139 system_u:object_r:nmbd_port_t:s0 1859portcon udp 123 system_u:object_r:ntp_port_t:s0 1860portcon udp 5000 system_u:object_r:openvpn_port_t:s0 1861portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0 1862portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0 1863portcon tcp 106 system_u:object_r:pop_port_t:s0 1864portcon tcp 109 system_u:object_r:pop_port_t:s0 1865portcon tcp 110 system_u:object_r:pop_port_t:s0 1866portcon tcp 143 system_u:object_r:pop_port_t:s0 1867portcon tcp 220 system_u:object_r:pop_port_t:s0 1868portcon tcp 993 system_u:object_r:pop_port_t:s0 1869portcon tcp 995 system_u:object_r:pop_port_t:s0 1870portcon tcp 1109 system_u:object_r:pop_port_t:s0 1871portcon udp 111 system_u:object_r:portmap_port_t:s0 1872portcon tcp 111 system_u:object_r:portmap_port_t:s0 1873portcon tcp 5432 system_u:object_r:postgresql_port_t:s0 1874portcon tcp 60000 system_u:object_r:postgrey_port_t:s0 1875portcon tcp 515 system_u:object_r:printer_port_t:s0 1876portcon tcp 5703 system_u:object_r:ptal_port_t:s0 1877portcon udp 4011 system_u:object_r:pxe_port_t:s0 1878portcon udp 24441 system_u:object_r:pyzor_port_t:s0 1879portcon udp 1646 system_u:object_r:radacct_port_t:s0 1880portcon udp 1813 system_u:object_r:radacct_port_t:s0 1881portcon udp 1645 system_u:object_r:radius_port_t:s0 1882portcon udp 1812 system_u:object_r:radius_port_t:s0 1883portcon tcp 2703 system_u:object_r:razor_port_t:s0 1884portcon tcp 513 system_u:object_r:rlogind_port_t:s0 1885portcon tcp 953 system_u:object_r:rndc_port_t:s0 1886portcon udp 520 system_u:object_r:router_port_t:s0 1887portcon tcp 514 system_u:object_r:rsh_port_t:s0 1888portcon tcp 873 system_u:object_r:rsync_port_t:s0 1889portcon udp 873 system_u:object_r:rsync_port_t:s0 1890portcon tcp 137-139 system_u:object_r:smbd_port_t:s0 1891portcon tcp 445 system_u:object_r:smbd_port_t:s0 1892portcon tcp 25 system_u:object_r:smtp_port_t:s0 1893portcon tcp 465 system_u:object_r:smtp_port_t:s0 1894portcon tcp 587 system_u:object_r:smtp_port_t:s0 1895portcon udp 161 system_u:object_r:snmp_port_t:s0 1896portcon udp 162 system_u:object_r:snmp_port_t:s0 1897portcon tcp 199 system_u:object_r:snmp_port_t:s0 1898portcon tcp 783 system_u:object_r:spamd_port_t:s0 1899portcon tcp 22 system_u:object_r:ssh_port_t:s0 1900portcon tcp 8000 system_u:object_r:soundd_port_t:s0 1901portcon tcp 9433 system_u:object_r:soundd_port_t:s0 1902portcon tcp 901 system_u:object_r:swat_port_t:s0 1903portcon udp 514 system_u:object_r:syslogd_port_t:s0 1904portcon tcp 23 system_u:object_r:telnetd_port_t:s0 1905portcon udp 69 system_u:object_r:tftp_port_t:s0 1906portcon tcp 8081 system_u:object_r:transproxy_port_t:s0 1907portcon tcp 540 system_u:object_r:uucpd_port_t:s0 1908portcon tcp 5900 system_u:object_r:vnc_port_t:s0 1909portcon tcp 6001 system_u:object_r:xserver_port_t:s0 1910portcon tcp 6002 system_u:object_r:xserver_port_t:s0 1911portcon tcp 6003 system_u:object_r:xserver_port_t:s0 1912portcon tcp 6004 system_u:object_r:xserver_port_t:s0 1913portcon tcp 6005 system_u:object_r:xserver_port_t:s0 1914portcon tcp 6006 system_u:object_r:xserver_port_t:s0 1915portcon tcp 6007 system_u:object_r:xserver_port_t:s0 1916portcon tcp 6008 system_u:object_r:xserver_port_t:s0 1917portcon tcp 6009 system_u:object_r:xserver_port_t:s0 1918portcon tcp 6010 system_u:object_r:xserver_port_t:s0 1919portcon tcp 6011 system_u:object_r:xserver_port_t:s0 1920portcon tcp 6012 system_u:object_r:xserver_port_t:s0 1921portcon tcp 6013 system_u:object_r:xserver_port_t:s0 1922portcon tcp 6014 system_u:object_r:xserver_port_t:s0 1923portcon tcp 6015 system_u:object_r:xserver_port_t:s0 1924portcon tcp 6016 system_u:object_r:xserver_port_t:s0 1925portcon tcp 6017 system_u:object_r:xserver_port_t:s0 1926portcon tcp 6018 system_u:object_r:xserver_port_t:s0 1927portcon tcp 6019 system_u:object_r:xserver_port_t:s0 1928portcon tcp 8002 system_u:object_r:xen_port_t:s0 1929portcon tcp 2601 system_u:object_r:zebra_port_t:s0 1930portcon tcp 8021 system_u:object_r:zope_port_t:s0 1931portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0 1932portcon udp 1-1023 system_u:object_r:reserved_port_t:s0 1933nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0 1934nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0 1935nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0 1936nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0 1937nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0 1938nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0 1939nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0 1940nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0 1941