Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/apps
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/apps')
-rw-r--r--policy/modules/apps/ada.fc5
-rw-r--r--policy/modules/apps/ada.if45
-rw-r--r--policy/modules/apps/ada.te27
-rw-r--r--policy/modules/apps/awstats.fc5
-rw-r--r--policy/modules/apps/awstats.if21
-rw-r--r--policy/modules/apps/awstats.te98
-rw-r--r--policy/modules/apps/calamaris.fc5
-rw-r--r--policy/modules/apps/calamaris.if101
-rw-r--r--policy/modules/apps/calamaris.te73
-rw-r--r--policy/modules/apps/cdrecord.fc3
-rw-r--r--policy/modules/apps/cdrecord.if32
-rw-r--r--policy/modules/apps/cdrecord.te115
-rw-r--r--policy/modules/apps/cpufreqselector.fc1
-rw-r--r--policy/modules/apps/cpufreqselector.if22
-rw-r--r--policy/modules/apps/cpufreqselector.te53
-rw-r--r--policy/modules/apps/evolution.fc17
-rw-r--r--policy/modules/apps/evolution.if228
-rw-r--r--policy/modules/apps/evolution.te548
-rw-r--r--policy/modules/apps/firewallgui.fc1
-rw-r--r--policy/modules/apps/firewallgui.if41
-rw-r--r--policy/modules/apps/firewallgui.te73
-rw-r--r--policy/modules/apps/games.fc60
-rw-r--r--policy/modules/apps/games.if99
-rw-r--r--policy/modules/apps/games.te197
-rw-r--r--policy/modules/apps/gift.fc6
-rw-r--r--policy/modules/apps/gift.if40
-rw-r--r--policy/modules/apps/gift.te144
-rw-r--r--policy/modules/apps/gitosis.fc7
-rw-r--r--policy/modules/apps/gitosis.if87
-rw-r--r--policy/modules/apps/gitosis.te65
-rw-r--r--policy/modules/apps/gnome.fc28
-rw-r--r--policy/modules/apps/gnome.if809
-rw-r--r--policy/modules/apps/gnome.te215
-rw-r--r--policy/modules/apps/gpg.fc16
-rw-r--r--policy/modules/apps/gpg.if336
-rw-r--r--policy/modules/apps/gpg.te404
-rw-r--r--policy/modules/apps/irc.fc10
-rw-r--r--policy/modules/apps/irc.if48
-rw-r--r--policy/modules/apps/irc.te144
-rw-r--r--policy/modules/apps/java.fc38
-rw-r--r--policy/modules/apps/java.if383
-rw-r--r--policy/modules/apps/java.te202
-rw-r--r--policy/modules/apps/libmtp.fc3
-rw-r--r--policy/modules/apps/libmtp.if30
-rw-r--r--policy/modules/apps/libmtp.te60
-rw-r--r--policy/modules/apps/lightsquid.fc11
-rw-r--r--policy/modules/apps/lightsquid.if80
-rw-r--r--policy/modules/apps/lightsquid.te52
-rw-r--r--policy/modules/apps/livecd.fc1
-rw-r--r--policy/modules/apps/livecd.if102
-rw-r--r--policy/modules/apps/livecd.te48
-rw-r--r--policy/modules/apps/loadkeys.fc2
-rw-r--r--policy/modules/apps/loadkeys.if67
-rw-r--r--policy/modules/apps/loadkeys.te57
-rw-r--r--policy/modules/apps/lockdev.fc5
-rw-r--r--policy/modules/apps/lockdev.if42
-rw-r--r--policy/modules/apps/lockdev.te39
-rw-r--r--policy/modules/apps/man2html.fc5
-rw-r--r--policy/modules/apps/man2html.if1
-rw-r--r--policy/modules/apps/man2html.te26
-rw-r--r--policy/modules/apps/mandb.fc3
-rw-r--r--policy/modules/apps/mandb.if74
-rw-r--r--policy/modules/apps/mandb.te63
-rw-r--r--policy/modules/apps/mono.fc1
-rw-r--r--policy/modules/apps/mono.if149
-rw-r--r--policy/modules/apps/mono.te67
-rw-r--r--policy/modules/apps/mozilla.fc50
-rw-r--r--policy/modules/apps/mozilla.if638
-rw-r--r--policy/modules/apps/mozilla.te833
-rw-r--r--policy/modules/apps/mplayer.fc17
-rw-r--r--policy/modules/apps/mplayer.if163
-rw-r--r--policy/modules/apps/mplayer.te282
-rw-r--r--policy/modules/apps/openoffice.fc30
-rw-r--r--policy/modules/apps/openoffice.if134
-rw-r--r--policy/modules/apps/openoffice.te158
-rw-r--r--policy/modules/apps/podsleuth.fc5
-rw-r--r--policy/modules/apps/podsleuth.if46
-rw-r--r--policy/modules/apps/podsleuth.te97
-rw-r--r--policy/modules/apps/ptchown.fc3
-rw-r--r--policy/modules/apps/ptchown.if65
-rw-r--r--policy/modules/apps/ptchown.te34
-rw-r--r--policy/modules/apps/pulseaudio.fc11
-rw-r--r--policy/modules/apps/pulseaudio.if422
-rw-r--r--policy/modules/apps/pulseaudio.te308
-rw-r--r--policy/modules/apps/qemu.fc19
-rw-r--r--policy/modules/apps/qemu.if434
-rw-r--r--policy/modules/apps/qemu.te136
-rw-r--r--policy/modules/apps/rssh.fc3
-rw-r--r--policy/modules/apps/rssh.if112
-rw-r--r--policy/modules/apps/rssh.te99
-rw-r--r--policy/modules/apps/sambagui.fc1
-rw-r--r--policy/modules/apps/sambagui.if1
-rw-r--r--policy/modules/apps/sambagui.te66
-rw-r--r--policy/modules/apps/screen.fc9
-rw-r--r--policy/modules/apps/screen.if92
-rw-r--r--policy/modules/apps/screen.te126
-rw-r--r--policy/modules/apps/slocate.fc7
-rw-r--r--policy/modules/apps/slocate.if21
-rw-r--r--policy/modules/apps/slocate.te73
-rw-r--r--policy/modules/apps/syncthing.fc3
-rw-r--r--policy/modules/apps/syncthing.if31
-rw-r--r--policy/modules/apps/syncthing.te69
-rw-r--r--policy/modules/apps/telepathy.fc35
-rw-r--r--policy/modules/apps/telepathy.if247
-rw-r--r--policy/modules/apps/telepathy.te485
-rw-r--r--policy/modules/apps/thunderbird.fc13
-rw-r--r--policy/modules/apps/thunderbird.if59
-rw-r--r--policy/modules/apps/thunderbird.te217
-rw-r--r--policy/modules/apps/tvtime.fc3
-rw-r--r--policy/modules/apps/tvtime.if38
-rw-r--r--policy/modules/apps/tvtime.te94
-rw-r--r--policy/modules/apps/uml.fc5
-rw-r--r--policy/modules/apps/uml.if81
-rw-r--r--policy/modules/apps/uml.te185
-rw-r--r--policy/modules/apps/userhelper.fc6
-rw-r--r--policy/modules/apps/userhelper.if231
-rw-r--r--policy/modules/apps/userhelper.te163
-rw-r--r--policy/modules/apps/usernetctl.fc3
-rw-r--r--policy/modules/apps/usernetctl.if47
-rw-r--r--policy/modules/apps/usernetctl.te78
-rw-r--r--policy/modules/apps/vlock.fc4
-rw-r--r--policy/modules/apps/vlock.if47
-rw-r--r--policy/modules/apps/vlock.te43
-rw-r--r--policy/modules/apps/vmware.fc54
-rw-r--r--policy/modules/apps/vmware.if114
-rw-r--r--policy/modules/apps/vmware.te283
-rw-r--r--policy/modules/apps/webalizer.fc9
-rw-r--r--policy/modules/apps/webalizer.if67
-rw-r--r--policy/modules/apps/webalizer.te95
-rw-r--r--policy/modules/apps/wine.fc24
-rw-r--r--policy/modules/apps/wine.if166
-rw-r--r--policy/modules/apps/wine.te84
-rw-r--r--policy/modules/apps/wireshark.fc3
-rw-r--r--policy/modules/apps/wireshark.if57
-rw-r--r--policy/modules/apps/wireshark.te133
-rw-r--r--policy/modules/apps/wm.fc5
-rw-r--r--policy/modules/apps/wm.if252
-rw-r--r--policy/modules/apps/wm.te152
-rw-r--r--policy/modules/apps/xscreensaver.fc7
-rw-r--r--policy/modules/apps/xscreensaver.if41
-rw-r--r--policy/modules/apps/xscreensaver.te115
-rw-r--r--policy/modules/apps/yam.fc6
-rw-r--r--policy/modules/apps/yam.if66
-rw-r--r--policy/modules/apps/yam.te96
144 files changed, 14351 insertions, 0 deletions
diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc
new file mode 100644
index 00000000..f1502de8
--- /dev/null
+++ b/policy/modules/apps/ada.fc
@@ -0,0 +1,5 @@
+/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
+
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
new file mode 100644
index 00000000..e514e8a9
--- /dev/null
+++ b/policy/modules/apps/ada.if
@@ -0,0 +1,45 @@
+## <summary>GNAT Ada95 compiler.</summary>
+
+########################################
+## <summary>
+## Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ada_domtrans',`
+ gen_require(`
+ type ada_t, ada_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ada_exec_t, ada_t)
+')
+
+########################################
+## <summary>
+## Execute ada in the ada domain, and
+## allow the specified role the ada domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`ada_run',`
+ gen_require(`
+ attribute_role ada_roles;
+ ')
+
+ ada_domtrans($1)
+ roleattribute $2 ada_roles;
+')
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
new file mode 100644
index 00000000..8d42c97a
--- /dev/null
+++ b/policy/modules/apps/ada.te
@@ -0,0 +1,27 @@
+policy_module(ada, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role ada_roles;
+roleattribute system_r ada_roles;
+
+type ada_t;
+type ada_exec_t;
+application_domain(ada_t, ada_exec_t)
+role ada_roles types ada_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ada_t self:process { execstack execmem };
+
+userdom_use_user_terminals(ada_t)
+
+optional_policy(`
+ unconfined_domain(ada_t)
+')
diff --git a/policy/modules/apps/awstats.fc b/policy/modules/apps/awstats.fc
new file mode 100644
index 00000000..11e6d5ff
--- /dev/null
+++ b/policy/modules/apps/awstats.fc
@@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
new file mode 100644
index 00000000..e86fe87f
--- /dev/null
+++ b/policy/modules/apps/awstats.if
@@ -0,0 +1,21 @@
+## <summary>Log file analyzer for advanced statistics.</summary>
+
+########################################
+## <summary>
+## Execute the awstats program in
+## the awstats domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`awstats_domtrans',`
+ gen_require(`
+ type awstats_t, awstats_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, awstats_exec_t, awstats_t)
+')
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
new file mode 100644
index 00000000..c1b16c39
--- /dev/null
+++ b/policy/modules/apps/awstats.te
@@ -0,0 +1,98 @@
+policy_module(awstats, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether awstats can
+## purge httpd log files.
+## </p>
+## </desc>
+gen_tunable(awstats_purge_apache_log_files, false)
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# Local policy
+#
+
+allow awstats_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+
+allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms;
+
+can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t })
+
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_dontaudit_search_all_mountpoints(awstats_t)
+files_read_etc_files(awstats_t)
+files_read_usr_files(awstats_t)
+
+fs_list_inotifyfs(awstats_t)
+
+libs_read_lib_files(awstats_t)
+
+logging_read_generic_logs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+tunable_policy(`awstats_purge_apache_log_files',`
+ apache_write_log(awstats_t)
+')
+
+optional_policy(`
+ apache_read_log(awstats_t)
+')
+
+optional_policy(`
+ cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(awstats_t)
+')
+
+optional_policy(`
+ squid_read_log(awstats_t)
+')
+
+########################################
+#
+# CGI local policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)
+
+apache_read_log(httpd_awstats_script_t)
diff --git a/policy/modules/apps/calamaris.fc b/policy/modules/apps/calamaris.fc
new file mode 100644
index 00000000..1bf35dbb
--- /dev/null
+++ b/policy/modules/apps/calamaris.fc
@@ -0,0 +1,5 @@
+/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0)
+
+/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0)
+
+/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0)
diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if
new file mode 100644
index 00000000..cd9c5287
--- /dev/null
+++ b/policy/modules/apps/calamaris.if
@@ -0,0 +1,101 @@
+## <summary>Squid log analysis.</summary>
+
+########################################
+## <summary>
+## Execute the calamaris in
+## the calamaris domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`calamaris_domtrans',`
+ gen_require(`
+ type calamaris_t, calamaris_exec_t;
+ ')
+
+ files_search_etc($1)
+ domtrans_pattern($1, calamaris_exec_t, calamaris_t)
+')
+
+########################################
+## <summary>
+## Execute calamaris in the
+## calamaris domain, and allow the
+## specified role the calamaris domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`calamaris_run',`
+ gen_require(`
+ attribute_role calamaris_roles;
+ ')
+
+ lightsquid_domtrans($1)
+ roleattribute $2 calamaris_roles;
+')
+
+#######################################
+## <summary>
+## Read calamaris www files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`calamaris_read_www_files',`
+ gen_require(`
+ type calamaris_www_t;
+ ')
+
+ allow $1 calamaris_www_t:dir list_dir_perms;
+ read_files_pattern($1, calamaris_www_t, calamaris_www_t)
+ read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an calamaris environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`calamaris_admin',`
+ gen_require(`
+ type calamaris_t, calamaris_log_t, calamaris_www_t;
+ ')
+
+ allow $1 calamaris_t:process { ptrace signal_perms };
+ ps_process_pattern($1, calamaris_t)
+
+ calamaris_run($1, $2)
+
+ logging_list_logs($1)
+ admin_pattern($1, calamaris_log_t)
+
+ apache_list_sys_content($1)
+ admin_pattern($1, calamaris_www_t)
+')
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
new file mode 100644
index 00000000..7e574604
--- /dev/null
+++ b/policy/modules/apps/calamaris.te
@@ -0,0 +1,73 @@
+policy_module(calamaris, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role calamaris_roles;
+
+type calamaris_t;
+type calamaris_exec_t;
+application_domain(calamaris_t, calamaris_exec_t)
+role calamaris_roles types calamaris_t;
+
+type calamaris_log_t;
+logging_log_file(calamaris_log_t)
+
+type calamaris_www_t;
+files_type(calamaris_www_t)
+
+########################################
+#
+# Local policy
+#
+
+allow calamaris_t self:capability dac_override;
+allow calamaris_t self:process { signal_perms setsched };
+allow calamaris_t self:fifo_file rw_fifo_file_perms;
+allow calamaris_t self:unix_stream_socket { accept listen };
+allow calamaris_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
+manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
+logging_log_filetrans(calamaris_t, calamaris_log_t, { dir file })
+
+manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
+manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
+
+kernel_read_all_sysctls(calamaris_t)
+kernel_read_system_state(calamaris_t)
+
+corecmd_exec_bin(calamaris_t)
+
+dev_read_urand(calamaris_t)
+
+files_read_usr_files(calamaris_t)
+files_read_etc_runtime_files(calamaris_t)
+
+libs_read_lib_files(calamaris_t)
+
+auth_use_nsswitch(calamaris_t)
+
+logging_send_syslog_msg(calamaris_t)
+
+miscfiles_read_localization(calamaris_t)
+
+userdom_dontaudit_list_user_home_dirs(calamaris_t)
+
+optional_policy(`
+ apache_search_sys_content(calamaris_t)
+')
+
+optional_policy(`
+ cron_system_entry(calamaris_t, calamaris_exec_t)
+')
+
+optional_policy(`
+ mta_send_mail(calamaris_t)
+')
+
+optional_policy(`
+ squid_read_log(calamaris_t)
+')
diff --git a/policy/modules/apps/cdrecord.fc b/policy/modules/apps/cdrecord.fc
new file mode 100644
index 00000000..819562d0
--- /dev/null
+++ b/policy/modules/apps/cdrecord.fc
@@ -0,0 +1,3 @@
+/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
new file mode 100644
index 00000000..fbc20f69
--- /dev/null
+++ b/policy/modules/apps/cdrecord.if
@@ -0,0 +1,32 @@
+## <summary>Record audio or data Compact Discs from a master.</summary>
+
+########################################
+## <summary>
+## Role access for cdrecord.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`cdrecord_role',`
+ gen_require(`
+ attribute_role cdrecord_roles;
+ type cdrecord_t, cdrecord_exec_t;
+ ')
+
+ roleattribute $1 cdrecord_roles;
+
+ domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
+
+ allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
+
+ allow $2 cdrecord_t:process { ptrace signal_perms };
+ ps_process_pattern($2, cdrecord_t)
+')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
new file mode 100644
index 00000000..4af7717a
--- /dev/null
+++ b/policy/modules/apps/cdrecord.te
@@ -0,0 +1,115 @@
+policy_module(cdrecord, 2.6.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether cdrecord can read
+## various content. nfs, samba, removable
+## devices, user temp and untrusted
+## content files
+## </p>
+## </desc>
+gen_tunable(cdrecord_read_content, false)
+
+attribute_role cdrecord_roles;
+
+type cdrecord_t;
+type cdrecord_exec_t;
+typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
+typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
+userdom_user_application_domain(cdrecord_t, cdrecord_exec_t)
+role cdrecord_roles types cdrecord_t;
+
+########################################
+#
+# Local policy
+#
+
+allow cdrecord_t self:capability { dac_override ipc_lock setuid sys_nice sys_rawio };
+allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
+allow cdrecord_t self:unix_stream_socket { accept listen };
+
+corecmd_exec_bin(cdrecord_t)
+
+dev_list_all_dev_nodes(cdrecord_t)
+dev_read_sysfs(cdrecord_t)
+
+domain_interactive_fd(cdrecord_t)
+domain_use_interactive_fds(cdrecord_t)
+
+files_read_etc_files(cdrecord_t)
+
+term_use_controlling_term(cdrecord_t)
+term_list_ptys(cdrecord_t)
+
+storage_raw_read_removable_device(cdrecord_t)
+storage_raw_write_removable_device(cdrecord_t)
+storage_write_scsi_generic(cdrecord_t)
+
+logging_send_syslog_msg(cdrecord_t)
+
+miscfiles_read_localization(cdrecord_t)
+
+userdom_use_user_terminals(cdrecord_t)
+userdom_read_user_home_content_files(cdrecord_t)
+
+tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+ files_list_home(cdrecord_t)
+ fs_read_nfs_files(cdrecord_t)
+ fs_read_nfs_symlinks(cdrecord_t)
+',`
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+ fs_dontaudit_read_nfs_files(cdrecord_t)
+ fs_dontaudit_list_nfs(cdrecord_t)
+')
+
+tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+ files_list_home(cdrecord_t)
+ fs_read_cifs_files(cdrecord_t)
+ fs_read_cifs_symlinks(cdrecord_t)
+',`
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+ fs_dontaudit_read_cifs_files(cdrecord_t)
+ fs_dontaudit_list_cifs(cdrecord_t)
+')
+
+tunable_policy(`cdrecord_read_content',`
+ userdom_list_user_tmp(cdrecord_t)
+ userdom_read_user_tmp_files(cdrecord_t)
+ userdom_read_user_tmp_symlinks(cdrecord_t)
+ userdom_read_user_home_content_files(cdrecord_t)
+ userdom_read_user_home_content_symlinks(cdrecord_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(cdrecord_t)
+ fs_read_removable_files(cdrecord_t)
+ fs_read_removable_symlinks(cdrecord_t)
+ ')
+',`
+ files_dontaudit_list_tmp(cdrecord_t)
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_removable(cdrecord_t)
+ fs_dontaudit_read_removable_files(cdrecord_t)
+ userdom_dontaudit_list_user_tmp(cdrecord_t)
+ userdom_dontaudit_read_user_tmp_files(cdrecord_t)
+ userdom_dontaudit_list_user_home_dirs(cdrecord_t)
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt(cdrecord_t)
+ fs_read_nfs_files(cdrecord_t)
+ fs_read_nfs_symlinks(cdrecord_t)
+')
+
+optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
+')
diff --git a/policy/modules/apps/cpufreqselector.fc b/policy/modules/apps/cpufreqselector.fc
new file mode 100644
index 00000000..b187f0f7
--- /dev/null
+++ b/policy/modules/apps/cpufreqselector.fc
@@ -0,0 +1 @@
+/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0)
diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if
new file mode 100644
index 00000000..932fa532
--- /dev/null
+++ b/policy/modules/apps/cpufreqselector.if
@@ -0,0 +1,22 @@
+## <summary>Command-line CPU frequency settings.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## cpufreq-selector over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cpufreqselector_dbus_chat',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+ allow cpufreqselector_t $1:dbus send_msg;
+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
new file mode 100644
index 00000000..6cedb872
--- /dev/null
+++ b/policy/modules/apps/cpufreqselector.te
@@ -0,0 +1,53 @@
+policy_module(cpufreqselector, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpufreqselector_t;
+type cpufreqselector_exec_t;
+init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:process getsched;
+allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(cpufreqselector_t)
+
+files_read_etc_files(cpufreqselector_t)
+files_read_usr_files(cpufreqselector_t)
+
+dev_rw_sysfs(cpufreqselector_t)
+
+miscfiles_read_localization(cpufreqselector_t)
+
+userdom_read_all_users_state(cpufreqselector_t)
+userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+
+optional_policy(`
+ dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(cpufreqselector_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(cpufreqselector_t)
+ ')
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(cpufreqselector_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(cpufreqselector_t)
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
+')
diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
new file mode 100644
index 00000000..7f5e8980
--- /dev/null
+++ b/policy/modules/apps/evolution.fc
@@ -0,0 +1,17 @@
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.config/evolution(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/evolution(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0)
+HOME_DIR/\.local/share/camel_certs(/.*)? gen_context(system_u:object_r:evolution_xdg_config_t,s0)
+
+/tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
+
+/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0)
+
+/usr/lib/evolution/[^/]*/evolution-alarm-notify -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+/usr/lib/evolution-webcal/evolution-webcal -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
+
+/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
+/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
+/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
new file mode 100644
index 00000000..32cc77f2
--- /dev/null
+++ b/policy/modules/apps/evolution.if
@@ -0,0 +1,228 @@
+## <summary>Evolution email client.</summary>
+
+########################################
+## <summary>
+## Role access for evolution.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`evolution_role',`
+ gen_require(`
+ attribute_role evolution_roles;
+ type evolution_t, evolution_exec_t, evolution_home_t;
+ type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t;
+ type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t;
+ type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t;
+ type evolution_server_t, evolution_server_exec_t, evolution_webcal_t;
+ type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t;
+ type evolution_tmpfs_t, evolution_webcal_tmpfs_t;
+ ')
+
+ roleattribute $1 evolution_roles;
+
+ domtrans_pattern($2, evolution_exec_t, evolution_t)
+ domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+ domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+ domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+ domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+
+ allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms };
+ ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t })
+ ps_process_pattern($2, { evolution_server_t evolution_webcal_t })
+
+ allow evolution_t $2:dir search_dir_perms;
+ allow evolution_t $2:file read_file_perms;
+ allow evolution_t $2:lnk_file read_lnk_file_perms;
+
+ allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms };
+ allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms };
+
+ userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs")
+ userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution")
+
+ allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+
+ allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto;
+
+ stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
+ stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
+
+ optional_policy(`
+ evolution_dbus_chat($2)
+ evolution_alarm_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Create objects in the evolution home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`evolution_home_filetrans',`
+ gen_require(`
+ type evolution_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, evolution_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Read evolution home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_home_files',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ read_files_pattern($1, evolution_home_t, evolution_home_t)
+')
+
+########################################
+## <summary>
+## Connect to evolution using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_stream_connect',`
+ gen_require(`
+ type evolution_t, evolution_orbit_tmp_t;
+ ')
+
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
+')
+
+########################################
+## <summary>
+## Read evolution orbit temporary
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_read_orbit_tmp_files',`
+ gen_require(`
+ type evolution_orbit_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t)
+')
+
+
+########################################
+## <summary>
+## Send and receive messages from
+## evolution over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_dbus_chat',`
+ gen_require(`
+ type evolution_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 evolution_t:dbus send_msg;
+ allow evolution_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## evolution_alarm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_alarm_dbus_chat',`
+ gen_require(`
+ type evolution_alarm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 evolution_alarm_t:dbus send_msg;
+ allow evolution_alarm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Make a domain transition to the
+## evolution target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_domtrans',`
+ gen_require(`
+ type evolution_t, evolution_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, evolution_exec_t, evolution_t)
+')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
new file mode 100644
index 00000000..e8362b8a
--- /dev/null
+++ b/policy/modules/apps/evolution.te
@@ -0,0 +1,548 @@
+policy_module(evolution, 2.8.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow evolution to create and write
+## user certificates in addition to
+## being able to read them
+## </p>
+## </desc>
+gen_tunable(evolution_manage_user_certs, false)
+
+attribute_role evolution_roles;
+
+type evolution_t;
+type evolution_exec_t;
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+userdom_user_application_domain(evolution_t, evolution_exec_t)
+role evolution_roles types evolution_t;
+
+optional_policy(`
+ wm_application_domain(evolution_t, evolution_exec_t)
+')
+
+type evolution_alarm_t;
+type evolution_alarm_exec_t;
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+userdom_user_application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+role evolution_roles types evolution_alarm_t;
+
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+userdom_user_tmpfs_file(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+userdom_user_tmp_file(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
+type evolution_exchange_exec_t;
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+userdom_user_application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+role evolution_roles types evolution_exchange_t;
+
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+userdom_user_tmpfs_file(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+userdom_user_tmp_file(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+userdom_user_tmp_file(evolution_exchange_orbit_tmp_t)
+
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+userdom_user_tmp_file(evolution_orbit_tmp_t)
+
+type evolution_server_t;
+type evolution_server_exec_t;
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+userdom_user_application_domain(evolution_server_t, evolution_server_exec_t)
+role evolution_roles types evolution_server_t;
+
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+userdom_user_tmp_file(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+userdom_user_tmpfs_file(evolution_tmpfs_t)
+
+type evolution_webcal_t;
+type evolution_webcal_exec_t;
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+userdom_user_application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+role evolution_roles types evolution_webcal_t;
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+userdom_user_tmpfs_file(evolution_webcal_tmpfs_t)
+
+type evolution_xdg_cache_t;
+xdg_cache_content(evolution_xdg_cache_t)
+
+type evolution_xdg_config_t;
+xdg_config_content(evolution_xdg_config_t)
+
+type evolution_xdg_data_t;
+xdg_data_content(evolution_xdg_data_t)
+
+########################################
+#
+# Local policy
+#
+
+allow evolution_t self:capability { setgid setuid sys_nice };
+allow evolution_t self:process { execmem getsched setsched signal signull };
+allow evolution_t self:fifo_file rw_file_perms;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".evolution")
+userdom_user_home_dir_filetrans(evolution_t, evolution_home_t, dir, ".camel_certs")
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms;
+allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms;
+
+stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
+stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
+stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
+
+manage_files_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_cache_t, evolution_xdg_cache_t)
+xdg_cache_filetrans(evolution_t, evolution_xdg_cache_t, { dir file } )
+
+manage_files_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_config_t, evolution_xdg_config_t)
+xdg_config_filetrans(evolution_t, evolution_xdg_config_t, { dir file } )
+
+manage_files_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t)
+manage_dirs_pattern(evolution_t, evolution_xdg_data_t, evolution_xdg_data_t)
+xdg_data_filetrans(evolution_t, evolution_xdg_data_t, { dir file } )
+
+can_exec(evolution_t, { evolution_alarm_exec_t evolution_server_exec_t })
+
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_bin(evolution_t)
+corecmd_exec_shell(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_generic_node(evolution_t)
+corenet_udp_sendrecv_generic_node(evolution_t)
+corenet_tcp_sendrecv_all_ports(evolution_t)
+corenet_udp_sendrecv_all_ports(evolution_t)
+
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+
+corenet_sendrecv_ipp_client_packets(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+
+dev_read_rand(evolution_t)
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_map_usr_files(evolution_t)
+files_read_usr_files(evolution_t)
+
+fs_dontaudit_getattr_xattr_fs(evolution_t)
+fs_getattr_tmpfs(evolution_t)
+fs_search_auto_mountpoints(evolution_t)
+fs_search_cgroup_dirs(evolution_t)
+
+auth_use_nsswitch(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_generic_certs(evolution_t)
+miscfiles_read_localization(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_use_user_terminals(evolution_t)
+
+
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_t)
+ userdom_read_user_certs(evolution_t)
+')
+
+userdom_write_user_tmp_sockets(evolution_t)
+
+userdom_user_content_access_template(evolution, evolution_t)
+
+mta_read_config(evolution_t)
+
+xdg_manage_downloads(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+ifndef(`enable_mls',`
+ fs_list_dos(evolution_t)
+ fs_read_dos_files(evolution_t)
+
+ fs_search_removable(evolution_t)
+ fs_read_removable_files(evolution_t)
+ fs_read_removable_symlinks(evolution_t)
+
+ fs_read_iso9660_files(evolution_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_t)
+ fs_manage_nfs_files(evolution_t)
+ fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_t)
+ fs_manage_cifs_files(evolution_t)
+ fs_manage_cifs_symlinks(evolution_t)
+')
+
+optional_policy(`
+ automount_read_state(evolution_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(evolution_t)
+ dbus_all_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_t)
+')
+
+optional_policy(`
+ gpg_domtrans(evolution_t)
+ gpg_signal(evolution_t)
+')
+
+optional_policy(`
+ lpd_run_lpr(evolution_t, evolution_roles)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(evolution_t)
+ mozilla_domtrans(evolution_t)
+')
+
+optional_policy(`
+ ooffice_domtrans(evolution_t)
+ ooffice_rw_tmp_files(evolution_t)
+')
+
+optional_policy(`
+ spamassassin_exec_spamd(evolution_t)
+ spamassassin_domtrans_client(evolution_t)
+ spamassassin_domtrans_local_client(evolution_t)
+ spamassassin_read_spamd_tmp_files(evolution_t)
+ spamassassin_signal_spamd(evolution_t)
+ spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution")
+userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs")
+
+stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
+stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
+stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
+
+kernel_dontaudit_read_system_state(evolution_alarm_t)
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_usr_files(evolution_alarm_t)
+
+fs_dontaudit_getattr_xattr_fs(evolution_alarm_t)
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+auth_use_nsswitch(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_alarm_t)
+ fs_manage_nfs_files(evolution_alarm_t)
+ fs_manage_nfs_symlinks(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_alarm_t)
+ fs_manage_cifs_files(evolution_alarm_t)
+ fs_manage_cifs_symlinks(evolution_alarm_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(evolution_alarm_t)
+ dbus_connect_all_session_bus(evolution_alarm_t)
+
+ optional_policy(`
+ evolution_dbus_chat(evolution_alarm_t)
+ ')
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+########################################
+#
+# Exchange local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".evolution")
+userdom_user_home_dir_filetrans(evolution_exchange_t, evolution_home_t, dir, ".camel_certs")
+
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
+stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
+stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_usr_files(evolution_exchange_t)
+
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+auth_use_nsswitch(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_exchange_t)
+ fs_manage_nfs_files(evolution_exchange_t)
+ fs_manage_nfs_symlinks(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_exchange_t)
+ fs_manage_cifs_files(evolution_exchange_t)
+ fs_manage_cifs_symlinks(evolution_exchange_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+########################################
+#
+# Server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto listen };
+
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution")
+userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs")
+
+stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
+stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
+stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_generic_node(evolution_server_t)
+
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+auth_use_nsswitch(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+miscfiles_read_generic_certs(evolution_server_t)
+
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+tunable_policy(`evolution_manage_user_certs',`
+ userdom_manage_user_certs(evolution_server_t)
+',`
+ userdom_dontaudit_manage_user_certs(evolution_server_t)
+ userdom_read_user_certs(evolution_server_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_server_t)
+ fs_manage_nfs_files(evolution_server_t)
+ fs_manage_nfs_symlinks(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_server_t)
+ fs_manage_cifs_files(evolution_server_t)
+ fs_manage_cifs_symlinks(evolution_server_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_server_t)
+')
+
+########################################
+#
+# Webcal local policy
+#
+
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_node(evolution_webcal_t)
+
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+auth_use_nsswitch(evolution_webcal_t)
+
+userdom_search_user_home_dirs(evolution_webcal_t)
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc
new file mode 100644
index 00000000..94ab048b
--- /dev/null
+++ b/policy/modules/apps/firewallgui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-firewall/system-config-firewall-mechanism\.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if
new file mode 100644
index 00000000..e6866d1f
--- /dev/null
+++ b/policy/modules/apps/firewallgui.if
@@ -0,0 +1,41 @@
+## <summary>system-config-firewall dbus system service.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dbus_chat',`
+ gen_require(`
+ type firewallgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write firewallgui unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dontaudit_rw_pipes',`
+ gen_require(`
+ type firewallgui_t;
+ ')
+
+ dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
index 00000000..20945466
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
@@ -0,0 +1,73 @@
+policy_module(firewallgui, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewallgui_t;
+type firewallgui_exec_t;
+init_system_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
+kernel_read_system_state(firewallgui_t)
+kernel_read_network_state(firewallgui_t)
+kernel_rw_net_sysctls(firewallgui_t)
+kernel_rw_kernel_sysctl(firewallgui_t)
+kernel_rw_vm_sysctls(firewallgui_t)
+
+corecmd_exec_bin(firewallgui_t)
+corecmd_exec_shell(firewallgui_t)
+
+dev_read_sysfs(firewallgui_t)
+dev_read_urand(firewallgui_t)
+
+files_list_kernel_modules(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+
+auth_use_nsswitch(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
+seutil_read_config(firewallgui_t)
+
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
+
+optional_policy(`
+ consoletype_exec(firewallgui_t)
+')
+
+optional_policy(`
+ dbus_system_domain(firewallgui_t, firewallgui_exec_t)
+
+ optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+ ')
+')
+
+optional_policy(`
+ gnome_read_generic_gconf_home_content(firewallgui_t)
+')
+
+optional_policy(`
+ iptables_domtrans(firewallgui_t)
+ iptables_initrc_domtrans(firewallgui_t)
+')
+
+optional_policy(`
+ modutils_getattr_module_deps(firewallgui_t)
+')
diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc
new file mode 100644
index 00000000..5e2e4f2a
--- /dev/null
+++ b/policy/modules/apps/games.fc
@@ -0,0 +1,60 @@
+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
+
+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
+
+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
+
+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+
+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
new file mode 100644
index 00000000..d29977b2
--- /dev/null
+++ b/policy/modules/apps/games.if
@@ -0,0 +1,99 @@
+## <summary>Various games.</summary>
+
+########################################
+## <summary>
+## Role access for games.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`games_role',`
+ gen_require(`
+ attribute_role games_roles;
+ type games_t, games_exec_t, games_tmp_t;
+ type games_tmpfs_t;
+ ')
+
+ roleattribute $1 games_roles;
+
+ domtrans_pattern($2, games_exec_t, games_t)
+
+ allow $2 games_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { games_tmp_t games_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 games_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 games_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ allow $2 games_t:process { ptrace signal_perms };
+ ps_process_pattern($2, games_t)
+
+ stream_connect_pattern($2, games_tmpfs_t, games_tmpfs_t, games_t)
+
+ allow games_t $2:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read and write games data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`games_rw_data',`
+ gen_require(`
+ type games_data_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, games_data_t, games_data_t)
+')
+
+########################################
+## <summary>
+## Run a game in the game domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`games_domtrans',`
+ gen_require(`
+ type games_t, games_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, games_exec_t, games_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## games over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`games_dbus_chat',`
+ gen_require(`
+ type games_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 games_t:dbus send_msg;
+ allow games_t $1:dbus send_msg;
+')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
new file mode 100644
index 00000000..0cdebe62
--- /dev/null
+++ b/policy/modules/apps/games.te
@@ -0,0 +1,197 @@
+policy_module(games, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role games_roles;
+
+type games_t;
+type games_exec_t;
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+userdom_user_application_domain(games_t, games_exec_t)
+role games_roles types games_t;
+
+optional_policy(`
+ wm_application_domain(games_t, games_exec_t)
+')
+
+type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
+files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
+
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+userdom_user_tmp_file(games_tmp_t)
+
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+userdom_user_tmpfs_file(games_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(games_tmpfs_t)
+')
+
+########################################
+#
+# Server local policy
+#
+
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
+
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
+
+can_exec(games_srv_t, games_exec_t)
+
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
+
+dev_read_sysfs(games_srv_t)
+
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
+
+term_dontaudit_use_console(games_srv_t)
+
+domain_use_interactive_fds(games_srv_t)
+
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
+
+logging_send_syslog_msg(games_srv_t)
+
+miscfiles_read_localization(games_srv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+ udev_read_db(games_srv_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow games_t self:fifo_file rw_file_perms;
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket { accept listen };
+
+manage_files_pattern(games_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(games_t, games_devpts_t)
+
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
+
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(games_t, games_exec_t)
+
+kernel_read_system_state(games_t)
+
+corecmd_exec_bin(games_t)
+
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_generic_node(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_generic_node(games_t)
+
+corenet_sendrecv_generic_server_packets(games_t)
+corenet_tcp_bind_generic_port(games_t)
+
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_tcp_connect_generic_port(games_t)
+
+dev_read_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
+dev_rw_dri(games_t)
+dev_write_sound(games_t)
+
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
+
+fs_dontaudit_getattr_xattr_fs(games_t)
+
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
+miscfiles_read_localization(games_t)
+
+sysnet_dns_name_resolve(games_t)
+
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+userdom_dontaudit_read_user_home_content_files(games_t)
+
+tunable_policy(`allow_execmem',`
+ allow games_t self:process execmem;
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(games_t)
+ dbus_connect_all_session_bus(games_t)
+')
+
+optional_policy(`
+ nscd_use(games_t)
+')
+
+optional_policy(`
+ pulseaudio_run(games_t, games_roles)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(games_t)
+ xserver_read_xdm_lib_files(games_t)
+')
diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc
new file mode 100644
index 00000000..e27fa519
--- /dev/null
+++ b/policy/modules/apps/gift.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0)
+
+/usr/bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
+/usr/bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
new file mode 100644
index 00000000..e9023e56
--- /dev/null
+++ b/policy/modules/apps/gift.if
@@ -0,0 +1,40 @@
+## <summary>Peer to peer file sharing tool.</summary>
+
+########################################
+## <summary>
+## Role access for gift.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`gift_role',`
+ gen_require(`
+ attribute_role gift_roles, giftd_roles;
+ type gift_t, gift_exec_t, gift_home_t;
+ type giftd_t, giftd_exec_t, gift_tmpfs_t;
+ ')
+
+ roleattribute $1 gift_roles;
+ roleattribute $1 giftd_roles;
+
+ domtrans_pattern($2, gift_exec_t, gift_t)
+ domtrans_pattern($2, giftd_exec_t, giftd_t)
+
+ allow $2 gift_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { gift_home_t gift_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { gift_home_t gift_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 gift_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 gift_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_user_home_dir_filetrans($2, gift_home_t, dir, ".giFT")
+
+ ps_process_pattern($2, { gift_t giftd_t })
+ allow $2 { gift_t giftd_t }:process { ptrace signal_perms };
+')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
new file mode 100644
index 00000000..21692909
--- /dev/null
+++ b/policy/modules/apps/gift.te
@@ -0,0 +1,144 @@
+policy_module(gift, 2.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role gift_roles;
+attribute_role giftd_roles;
+
+type gift_t;
+type gift_exec_t;
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+userdom_user_application_domain(gift_t, gift_exec_t)
+role gift_roles types gift_t;
+
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+userdom_user_tmpfs_file(gift_tmpfs_t)
+
+type giftd_t;
+type giftd_exec_t;
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+userdom_user_application_domain(giftd_t, giftd_exec_t)
+role giftd_roles types giftd_t;
+
+optional_policy(`
+ wm_application_domain(gift_t, gift_exec_t)
+')
+
+##############################
+#
+# Client local policy
+#
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+kernel_read_system_state(gift_t)
+
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_generic_node(gift_t)
+
+corenet_sendrecv_giftd_client_packets(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+auth_use_nsswitch(gift_t)
+
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gift_t)
+ fs_manage_nfs_files(gift_t)
+ fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gift_t)
+ fs_manage_cifs_files(gift_t)
+ fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# Server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_generic_node(giftd_t)
+corenet_udp_sendrecv_generic_node(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_generic_node(giftd_t)
+corenet_udp_bind_generic_node(giftd_t)
+
+corenet_sendrecv_all_server_packets(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+
+corenet_sendrecv_all_client_packets(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+
+files_read_etc_runtime_files(giftd_t)
+files_read_usr_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_dns_name_resolve(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(giftd_t)
+ fs_manage_nfs_files(giftd_t)
+ fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(giftd_t)
+ fs_manage_cifs_files(giftd_t)
+ fs_manage_cifs_symlinks(giftd_t)
+')
diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc
new file mode 100644
index 00000000..b64de321
--- /dev/null
+++ b/policy/modules/apps/gitosis.fc
@@ -0,0 +1,7 @@
+/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if
new file mode 100644
index 00000000..f8ca38cb
--- /dev/null
+++ b/policy/modules/apps/gitosis.if
@@ -0,0 +1,87 @@
+## <summary>Tools for managing and hosting git repositories.</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+ gen_require(`
+ type gitosis_t, gitosis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+## Execute gitosis-serve in the
+## gitosis domain, and allow the
+## specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_run',`
+ gen_require(`
+ attribute_role gitosis_roles;
+ ')
+
+ gitosis_domtrans($1)
+ roleattribute $2 gitosis_roles;
+')
+
+#######################################
+## <summary>
+## Read gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_read_lib_files',`
+ gen_require(`
+ type gitosis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_manage_lib_files',`
+ gen_require(`
+ type gitosis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te
new file mode 100644
index 00000000..582db0a2
--- /dev/null
+++ b/policy/modules/apps/gitosis.te
@@ -0,0 +1,65 @@
+policy_module(gitosis, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether Gitosis can send mail.
+## </p>
+## </desc>
+gen_tunable(gitosis_can_sendmail, false)
+
+attribute_role gitosis_roles;
+roleattribute system_r gitosis_roles;
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role gitosis_roles types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
+kernel_read_system_state(gitosis_t)
+
+corenet_all_recvfrom_unlabeled(gitosis_t)
+corenet_all_recvfrom_netlabel(gitosis_t)
+corenet_tcp_sendrecv_generic_if(gitosis_t)
+corenet_tcp_sendrecv_generic_node(gitosis_t)
+corenet_tcp_bind_generic_node(gitosis_t)
+
+corenet_sendrecv_ssh_server_packets(gitosis_t)
+corenet_tcp_bind_ssh_port(gitosis_t)
+corenet_tcp_sendrecv_ssh_port(gitosis_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+dev_read_urand(gitosis_t)
+
+files_read_etc_files(gitosis_t)
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+sysnet_read_config(gitosis_t)
+
+tunable_policy(`gitosis_can_sendmail',`
+ mta_send_mail(gitosis_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
new file mode 100644
index 00000000..81e9716a
--- /dev/null
+++ b/policy/modules/apps/gnome.fc
@@ -0,0 +1,28 @@
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
+HOME_DIR/\.cache/keyring-.* gen_context(system_u:object_r:gnome_xdg_cache_t,s0)
+HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_t,s0)
+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_xdg_config_t,s0)
+HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
+HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gnome_xdg_data_t,s0)
+
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+
+/tmp/gconfd-%{USERNAME}/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+
+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
+
+/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/run/user/%{USERID}/keyring(/.*)? gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
+/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:gconf_tmp_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
new file mode 100644
index 00000000..8b27d15a
--- /dev/null
+++ b/policy/modules/apps/gnome.if
@@ -0,0 +1,809 @@
+## <summary>GNU network object model environment.</summary>
+
+#######################################
+## <summary>
+## The role template for gnome.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`gnome_role_template',`
+ gen_require(`
+ attribute gnomedomain, gkeyringd_domain;
+ attribute_role gconfd_roles;
+ type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
+ type gconfd_t, gconfd_exec_t, gconf_tmp_t;
+ type gconf_home_t;
+ ')
+
+ ########################################
+ #
+ # Gconf declarations
+ #
+
+ roleattribute $2 gconfd_roles;
+
+ ########################################
+ #
+ # Gkeyringd declarations
+ #
+
+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+ userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ domain_user_exemption_target($1_gkeyringd_t)
+
+ role $2 types $1_gkeyringd_t;
+
+ ########################################
+ #
+ # Gconf policy
+ #
+
+ domtrans_pattern($3, gconfd_exec_t, gconfd_t)
+
+ allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+ userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
+ userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
+
+ allow $3 gconfd_t:process { ptrace signal_perms };
+ ps_process_pattern($3, gconfd_t)
+
+ ########################################
+ #
+ # Gkeyringd policy
+ #
+
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+
+ allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
+
+ userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
+ userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
+ userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
+
+ gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
+
+ allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+
+ ps_process_pattern($3, $1_gkeyringd_t)
+ allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+
+ corecmd_bin_domtrans($1_gkeyringd_t, $3)
+ corecmd_shell_domtrans($1_gkeyringd_t, $3)
+
+ gnome_stream_connect_gkeyringd($1, $3)
+
+ optional_policy(`
+ dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
+ dbus_system_bus_client($1_gkeyringd_t)
+
+ optional_policy(`
+ evolution_dbus_chat($1_gkeyringd_t)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd($3)
+ gnome_dbus_chat_gkeyringd($1, $3)
+ ')
+
+ optional_policy(`
+ wm_dbus_chat($1, $1_gkeyringd_t)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Execute gconf in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Read gconf configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ allow $1 gconf_etc_t:file read_file_perms;
+ allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## inherited gconf configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ dontaudit $1 gconf_etc_t:file read;
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## gconf configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 gconf_etc_t:dir manage_dir_perms;
+ allow $1 gconf_etc_t:file manage_file_perms;
+ allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to gconf using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gconf',`
+ gen_require(`
+ type gconfd_t, gconf_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
+')
+
+########################################
+## <summary>
+## Run gconfd in gconfd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnome_domtrans_gconfd',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+')
+
+########################################
+## <summary>
+## Create generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ allow $1 gnome_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Set attributes of generic gnome
+## user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+')
+
+########################################
+## <summary>
+## Read generic gnome home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_home_content',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir list_dir_perms;
+ allow $1 gnome_home_t:file { read_file_perms map };
+ allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gnome_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic gnome home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_home_content',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir manage_dir_perms;
+ allow $1 gnome_home_t:file manage_file_perms;
+ allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic gnome home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_home',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in gnome user home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, gnome_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create generic gconf home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_create_generic_gconf_home_dirs',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic gconf home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_gconf_home_content',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 gconf_home_t:file read_file_perms;
+ allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
+ allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
+ allow $1 gconf_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic gconf home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_generic_gconf_home_content',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir manage_dir_perms;
+ allow $1 gconf_home_t:file manage_file_perms;
+ allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 gconf_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic gconf home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_generic_gconf_home',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic gconf
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gconf_home',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic gnome
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_home_filetrans_gnome_home',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in gnome gconf home
+## directories with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_gconf_home_filetrans',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ filetrans_pattern($1, gconf_home_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read generic gnome keyring home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_keyring_home_files',`
+ gen_require(`
+ type gnome_home_t, gnome_keyring_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gnome configuration daemon over
+## dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfd',`
+ gen_require(`
+ type gconfd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfd_t:dbus send_msg;
+ allow gconfd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gnome keyring daemon over dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_gkeyringd_t:dbus send_msg;
+ allow $1_gkeyringd_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from all
+## gnome keyring daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 gkeyringd_domain:dbus send_msg;
+ allow gkeyringd_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Run all gkeyringd in gkeyringd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnome_spec_domtrans_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gkeyringd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Connect to gnome keyring daemon
+## with a unix stream socket.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gkeyringd',`
+ gen_require(`
+ type $1_gkeyringd_t, gnome_keyring_tmp_t;
+ ')
+
+ files_search_tmp($2)
+ userdom_search_user_runtime($2)
+ stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+')
+
+########################################
+## <summary>
+## Connect to all gnome keyring daemon
+## with a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_all_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
+ type gnome_keyring_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ userdom_search_user_runtime($1)
+ stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+')
+
+########################################
+## <summary>
+## Manage gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_mmap_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
new file mode 100644
index 00000000..340e394a
--- /dev/null
+++ b/policy/modules/apps/gnome.te
@@ -0,0 +1,215 @@
+policy_module(gnome, 2.9.2)
+
+##############################
+#
+# Declarations
+#
+
+attribute gkeyringd_domain;
+attribute gnomedomain;
+attribute_role gconfd_roles;
+
+type gconf_etc_t;
+files_config_file(gconf_etc_t)
+
+type gconf_home_t;
+typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
+userdom_user_home_content(gconf_home_t)
+
+type gconf_tmp_t;
+typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
+typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+userdom_user_tmp_file(gconf_tmp_t)
+
+type gconfd_t, gnomedomain;
+type gconfd_exec_t;
+typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+userdom_user_application_domain(gconfd_t, gconfd_exec_t)
+role gconfd_roles types gconfd_t;
+
+type gnome_home_t;
+typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
+userdom_user_home_content(gnome_home_t)
+
+type gkeyringd_exec_t;
+application_executable_file(gkeyringd_exec_t)
+
+type gnome_keyring_home_t;
+userdom_user_home_content(gnome_keyring_home_t)
+
+type gnome_keyring_tmp_t;
+userdom_user_tmp_file(gnome_keyring_tmp_t)
+userdom_user_runtime_content(gnome_keyring_tmp_t)
+
+type gnome_xdg_cache_t;
+xdg_cache_content(gnome_xdg_cache_t)
+
+type gnome_xdg_config_t;
+xdg_config_content(gnome_xdg_config_t)
+
+type gnome_xdg_data_t;
+xdg_data_content(gnome_xdg_data_t)
+
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+userdom_user_runtime_content(gstreamer_orcexec_t)
+
+##############################
+#
+# Common local Policy
+#
+
+allow gnomedomain self:process { getsched signal };
+allow gnomedomain self:fifo_file rw_fifo_file_perms;
+
+dev_read_urand(gnomedomain)
+
+domain_use_interactive_fds(gnomedomain)
+
+files_read_etc_files(gnomedomain)
+
+miscfiles_read_localization(gnomedomain)
+
+logging_send_syslog_msg(gnomedomain)
+
+userdom_use_user_terminals(gnomedomain)
+
+optional_policy(`
+ xserver_rw_xsession_log(gnomedomain)
+ xserver_rw_xdm_pipes(gnomedomain)
+ xserver_use_xdm_fds(gnomedomain)
+')
+
+##############################
+#
+# Conf daemon local Policy
+#
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+manage_dirs_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t)
+manage_files_pattern(gconfd_t, gnome_xdg_cache_t, gnome_xdg_cache_t)
+xdg_cache_filetrans(gconfd_t, gnome_xdg_cache_t, dir)
+
+manage_dirs_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t)
+manage_files_pattern(gconfd_t, gnome_xdg_config_t, gnome_xdg_config_t)
+xdg_config_filetrans(gconfd_t, gnome_xdg_config_t, dir)
+
+manage_dirs_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t)
+manage_files_pattern(gconfd_t, gnome_xdg_data_t, gnome_xdg_data_t)
+xdg_data_filetrans(gconfd_t, gnome_xdg_data_t, dir)
+
+# for /proc/filesystems
+kernel_read_system_state(gconfd_t)
+
+# for /var/lib/gconf/defaults
+files_read_var_lib_files(gconfd_t)
+
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, { dir sock_file })
+userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
+
+optional_policy(`
+ dbus_all_session_domain(gconfd_t, gconfd_exec_t)
+
+ dbus_system_bus_client(gconfd_t)
+
+ optional_policy(`
+ pulseaudio_dbus_chat(gconfd_t)
+ ')
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfd_t)
+')
+
+optional_policy(`
+ ooffice_stream_connect(gconfd_t)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(gconfd_t)
+')
+
+##############################
+#
+# Keyring-daemon local policy
+#
+
+allow gkeyringd_domain self:capability ipc_lock;
+allow gkeyringd_domain self:process { getcap setcap };
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
+allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
+gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
+
+manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
+gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
+
+manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
+files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t)
+manage_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t)
+manage_sock_files_pattern(gkeyringd_domain, gnome_xdg_cache_t, gnome_xdg_cache_t)
+xdg_cache_filetrans(gkeyringd_domain, gnome_xdg_cache_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t)
+manage_files_pattern(gkeyringd_domain, gnome_xdg_config_t, gnome_xdg_config_t)
+xdg_config_filetrans(gkeyringd_domain, gnome_xdg_config_t, dir)
+
+manage_dirs_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
+manage_files_pattern(gkeyringd_domain, gnome_xdg_data_t, gnome_xdg_data_t)
+xdg_data_filetrans(gkeyringd_domain, gnome_xdg_data_t, dir)
+
+kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)
+
+dev_read_rand(gkeyringd_domain)
+dev_read_sysfs(gkeyringd_domain)
+
+files_read_usr_files(gkeyringd_domain)
+
+fs_getattr_all_fs(gkeyringd_domain)
+
+selinux_getattr_fs(gkeyringd_domain)
+
+seutil_read_config(gkeyringd_domain)
+
+optional_policy(`
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
+optional_policy(`
+ telepathy_mission_control_read_state(gkeyringd_domain)
+')
+
+optional_policy(`
+ xserver_rw_xsession_log(gkeyringd_domain)
+')
+
+ifdef(`distro_gentoo',`
+ typealias gnome_xdg_cache_t alias gnome_xdg_cache_home_t;
+ typealias gnome_xdg_config_t alias gnome_xdg_config_home_t;
+ typealias gnome_xdg_data_t alias gnome_xdg_data_home_t;
+')
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
new file mode 100644
index 00000000..c9362398
--- /dev/null
+++ b/policy/modules/apps/gpg.fc
@@ -0,0 +1,16 @@
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+
+/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/pinentry.* -- gen_context(system_u:object_r:gpg_pinentry_exec_t,s0)
+
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
+/run/user/%{USERID}/gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
new file mode 100644
index 00000000..78efb186
--- /dev/null
+++ b/policy/modules/apps/gpg.if
@@ -0,0 +1,336 @@
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
+
+############################################################
+## <summary>
+## Role access for gpg.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`gpg_role',`
+ gen_require(`
+ attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+ type gpg_t, gpg_exec_t, gpg_agent_t;
+ type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
+ type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ ')
+
+ roleattribute $1 gpg_roles;
+ roleattribute $1 gpg_agent_roles;
+ roleattribute $1 gpg_helper_roles;
+ roleattribute $1 gpg_pinentry_roles;
+
+ domtrans_pattern($2, gpg_exec_t, gpg_t)
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ allow $2 self:process setrlimit;
+ allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
+ ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+
+ allow gpg_pinentry_t $2:process signull;
+ allow gpg_helper_t $2:fd use;
+ allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+
+ allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+ userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
+
+ optional_policy(`
+ gpg_pinentry_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the gpg in the gpg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gpg_domtrans',`
+ gen_require(`
+ type gpg_t, gpg_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gpg_exec_t, gpg_t)
+')
+
+########################################
+## <summary>
+## Execute the gpg in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_exec',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gpg_exec_t)
+')
+
+########################################
+## <summary>
+## Execute gpg in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute gpg in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`gpg_spec_domtrans',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_transition_pattern($1, gpg_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Execute the gpg-agent in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_exec_agent',`
+ gen_require(`
+ type gpg_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gpg_agent_exec_t)
+')
+
+######################################
+## <summary>
+## Make gpg executable files an
+## entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which gpg_exec_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`gpg_entry_type',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ domain_entry_file($1, gpg_exec_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to gpg.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_signal',`
+ gen_require(`
+ type gpg_t;
+ ')
+
+ allow $1 gpg_t:process signal;
+')
+
+########################################
+## <summary>
+## Read and write gpg agent pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_rw_agent_pipes',`
+ gen_require(`
+ type gpg_agent_t;
+ ')
+
+ allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to gpg agent socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_stream_connect_agent',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t, gpg_runtime_t;
+ ')
+
+ stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+## filetrans in gpg_runtime_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_runtime_filetrans',`
+ gen_require(`
+ type gpg_runtime_t;
+ ')
+
+ filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Send messages to and from gpg
+## pinentry over DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_pinentry_dbus_chat',`
+ gen_require(`
+ type gpg_pinentry_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gpg_pinentry_t:dbus send_msg;
+ allow gpg_pinentry_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## List gpg user secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_list_user_secrets',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
new file mode 100644
index 00000000..e763b76b
--- /dev/null
+++ b/policy/modules/apps/gpg.te
@@ -0,0 +1,404 @@
+policy_module(gpg, 2.13.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether GPG agent can manage
+## generic user home content files. This is
+## required by the --write-env-file option.
+## </p>
+## </desc>
+gen_tunable(gpg_agent_env_file, false)
+
+## <desc>
+## <p>
+## Determine whether GPG agent can use OpenPGP
+## cards or Yubikeys over USB
+## </p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
+attribute_role gpg_roles;
+roleattribute system_r gpg_roles;
+
+attribute_role gpg_agent_roles;
+
+attribute_role gpg_helper_roles;
+roleattribute system_r gpg_helper_roles;
+
+attribute_role gpg_pinentry_roles;
+
+type gpg_t;
+type gpg_exec_t;
+userdom_user_application_domain(gpg_t, gpg_exec_t)
+role gpg_roles types gpg_t;
+
+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+userdom_user_runtime_content(gpg_runtime_t)
+
+type gpg_agent_t;
+type gpg_agent_exec_t;
+userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
+role gpg_agent_roles types gpg_agent_t;
+
+type gpg_agent_tmp_t;
+userdom_user_tmp_file(gpg_agent_tmp_t)
+userdom_user_runtime_content(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+userdom_user_home_content(gpg_secret_t)
+
+type gpg_helper_t;
+type gpg_helper_exec_t;
+userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
+role gpg_helper_roles types gpg_helper_t;
+
+type gpg_pinentry_t;
+type gpg_pinentry_exec_t;
+typealias gpg_pinentry_exec_t alias pinentry_exec_t; # 20170105
+userdom_user_application_domain(gpg_pinentry_t, gpg_pinentry_exec_t)
+role gpg_pinentry_roles types gpg_pinentry_t;
+
+type gpg_pinentry_tmp_t;
+userdom_user_tmp_file(gpg_pinentry_tmp_t)
+
+type gpg_pinentry_tmpfs_t;
+userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
+dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
+manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+
+gpg_stream_connect_agent(gpg_t)
+
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+kernel_read_crypto_sysctls(gpg_t)
+kernel_read_sysctl(gpg_t)
+# read /proc/cpuinfo
+kernel_read_system_state(gpg_t)
+
+corecmd_exec_shell(gpg_t)
+corecmd_exec_bin(gpg_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_tcp_sendrecv_generic_node(gpg_t)
+
+corenet_sendrecv_all_client_packets(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+
+dev_read_generic_usb_dev(gpg_t)
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+userdom_use_user_terminals(gpg_t)
+
+userdom_manage_user_tmp_dirs(gpg_t)
+userdom_manage_user_tmp_files(gpg_t)
+
+userdom_user_content_access_template(gpg, gpg_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_t)
+ fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_t)
+ fs_manage_cifs_files(gpg_t)
+')
+
+optional_policy(`
+ dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
+')
+
+optional_policy(`
+ evolution_read_orbit_tmp_files(gpg_t)
+')
+
+optional_policy(`
+ gnome_read_generic_home_content(gpg_t)
+ gnome_stream_connect_all_gkeyringd(gpg_t)
+')
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_t)
+')
+
+optional_policy(`
+ mta_read_spool_files(gpg_t)
+ mta_write_config(gpg_t)
+')
+
+optional_policy(`
+ spamassassin_read_spamd_tmp_files(gpg_t)
+')
+
+optional_policy(`
+ cron_system_entry(gpg_t, gpg_exec_t)
+ cron_read_system_job_tmp_files(gpg_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
+')
+
+########################################
+#
+# Helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+
+corenet_sendrecv_all_client_packets(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+userdom_use_user_terminals(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+########################################
+#
+# Agent local policy
+#
+
+allow gpg_agent_t self:process { setrlimit signal_perms };
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
+
+domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
+
+kernel_dontaudit_search_sysctl(gpg_agent_t)
+kernel_read_core_if(gpg_agent_t)
+kernel_read_system_state(gpg_agent_t)
+
+auth_use_nsswitch(gpg_agent_t)
+
+corecmd_exec_bin(gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)
+
+dev_read_rand(gpg_agent_t)
+dev_read_urand(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+userdom_use_user_terminals(gpg_agent_t)
+userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
+
+ifdef(`hide_broken_symptoms',`
+ userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+')
+
+tunable_policy(`gpg_agent_env_file',`
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+')
+
+tunable_policy(`gpg_agent_use_card',`
+ dev_read_sysfs(gpg_agent_t)
+ dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_agent_t)
+ fs_manage_nfs_files(gpg_agent_t)
+ fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_agent_t)
+ fs_manage_cifs_files(gpg_agent_t)
+ fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gpg_agent_t)
+')
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(gpg_agent_t)
+')
+
+optional_policy(`
+ xserver_sigchld_xdm(gpg_agent_t)
+ xserver_read_user_xauth(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:process { getcap getsched setsched signal };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:shm create_shm_perms;
+allow gpg_pinentry_t self:tcp_socket { accept listen };
+
+manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
+can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
+
+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
+kernel_read_system_state(gpg_pinentry_t)
+
+corecmd_exec_shell(gpg_pinentry_t)
+corecmd_exec_bin(gpg_pinentry_t)
+
+corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+
+dev_read_urand(gpg_pinentry_t)
+dev_read_rand(gpg_pinentry_t)
+
+domain_use_interactive_fds(gpg_pinentry_t)
+
+files_map_usr_files(gpg_pinentry_t)
+files_read_usr_files(gpg_pinentry_t)
+
+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
+fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+
+auth_use_nsswitch(gpg_pinentry_t)
+
+logging_send_syslog_msg(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+userdom_use_user_terminals(gpg_pinentry_t)
+
+xdg_read_data_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
+')
+
+optional_policy(`
+ pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+')
+
+ifdef(`distro_gentoo',`
+ optional_policy(`
+ mutt_read_home_files(gpg_t)
+ mutt_read_tmp_files(gpg_t)
+ mutt_rw_tmp_files(gpg_t)
+ ')
+')
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
new file mode 100644
index 00000000..48e7739f
--- /dev/null
+++ b/policy/modules/apps/irc.fc
@@ -0,0 +1,10 @@
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
+
+/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
+
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
new file mode 100644
index 00000000..ac00fb0f
--- /dev/null
+++ b/policy/modules/apps/irc.if
@@ -0,0 +1,48 @@
+## <summary>IRC client policy.</summary>
+
+########################################
+## <summary>
+## Role access for IRC.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`irc_role',`
+ gen_require(`
+ attribute_role irc_roles;
+ type irc_t, irc_exec_t, irc_home_t;
+ type irc_tmp_t, irc_log_home_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 irc_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, irc_exec_t, irc_t)
+
+ ps_process_pattern($2, irc_t)
+ allow $2 irc_t:process { ptrace signal_perms };
+
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
+ userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
+ userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
+')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
new file mode 100644
index 00000000..99ddaecb
--- /dev/null
+++ b/policy/modules/apps/irc.te
@@ -0,0 +1,144 @@
+policy_module(irc, 2.5.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether irc clients can
+## listen on and connect to any
+## unreserved TCP ports.
+## </p>
+## </desc>
+gen_tunable(irc_use_any_tcp_ports, false)
+
+attribute_role irc_roles;
+
+type irc_t;
+type irc_exec_t;
+typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
+typealias irc_t alias { auditadm_irc_t secadm_irc_t };
+userdom_user_application_domain(irc_t, irc_exec_t)
+role irc_roles types irc_t;
+
+type irc_conf_t;
+files_config_file(irc_conf_t)
+
+type irc_home_t;
+typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
+typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+userdom_user_home_content(irc_home_t)
+
+type irc_log_home_t;
+userdom_user_home_content(irc_log_home_t)
+
+type irc_tmp_t;
+typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+userdom_user_tmp_file(irc_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:unix_stream_socket { accept listen };
+
+allow irc_t irc_conf_t:file read_file_perms;
+
+can_exec(irc_t, irc_exec_t)
+corecmd_search_bin(irc_t)
+
+manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
+
+manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
+create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
+append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
+
+manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_system_state(irc_t)
+
+corenet_all_recvfrom_unlabeled(irc_t)
+corenet_all_recvfrom_netlabel(irc_t)
+corenet_tcp_sendrecv_generic_if(irc_t)
+corenet_tcp_sendrecv_generic_node(irc_t)
+corenet_tcp_sendrecv_all_ports(irc_t)
+
+corenet_sendrecv_gatekeeper_client_packets(irc_t)
+corenet_tcp_sendrecv_gatekeeper_port(irc_t)
+corenet_tcp_connect_gatekeeper_port(irc_t)
+
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_tcp_sendrecv_http_cache_port(irc_t)
+
+corenet_sendrecv_ircd_client_packets(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
+corenet_tcp_sendrecv_ircd_port(irc_t)
+
+dev_read_urand(irc_t)
+dev_read_rand(irc_t)
+
+domain_use_interactive_fds(irc_t)
+
+files_read_usr_files(irc_t)
+
+fs_getattr_all_fs(irc_t)
+fs_search_auto_mountpoints(irc_t)
+
+term_use_controlling_term(irc_t)
+term_list_ptys(irc_t)
+
+auth_use_nsswitch(irc_t)
+
+init_read_utmp(irc_t)
+init_dontaudit_lock_utmp(irc_t)
+
+miscfiles_read_generic_certs(irc_t)
+miscfiles_read_localization(irc_t)
+
+userdom_use_user_terminals(irc_t)
+
+userdom_user_content_access_template(irc, irc_t)
+
+xdg_manage_downloads(irc_t)
+
+tunable_policy(`irc_use_any_tcp_ports',`
+ allow irc_t self:tcp_socket { accept listen };
+ corenet_sendrecv_all_server_packets(irc_t)
+ corenet_tcp_bind_all_unreserved_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+ corenet_tcp_connect_all_unreserved_ports(irc_t)
+ corenet_tcp_sendrecv_all_ports(irc_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(irc_t)
+ fs_manage_nfs_files(irc_t)
+ fs_manage_nfs_symlinks(irc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(irc_t)
+ fs_manage_cifs_files(irc_t)
+ fs_manage_cifs_symlinks(irc_t)
+')
+
+optional_policy(`
+ seutil_use_newrole_fds(irc_t)
+')
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
new file mode 100644
index 00000000..d2984281
--- /dev/null
+++ b/policy/modules/apps/java.fc
@@ -0,0 +1,38 @@
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0)
+
+/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/(.*/)?bin/java[^-]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib/bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/icedtea[0-9]+/jre/bin/.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+# Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise
+/usr/share/maven-bin-[^/]*/bin/m2.conf -- gen_context(system_u:object_r:usr_t,s0)
+')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
new file mode 100644
index 00000000..c981fc41
--- /dev/null
+++ b/policy/modules/apps/java.if
@@ -0,0 +1,383 @@
+## <summary>Java virtual machine</summary>
+
+########################################
+## <summary>
+## Role access for java.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`java_role',`
+ gen_require(`
+ attribute_role java_roles;
+ type java_t, java_exec_t, java_tmp_t;
+ type java_tmpfs_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 java_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, java_exec_t, java_t)
+
+ allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+ ps_process_pattern($2, java_t)
+
+ allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ allow java_t $2:process signull;
+ allow java_t $2:unix_stream_socket connectto;
+ allow java_t $2:unix_stream_socket { read write };
+ allow java_t $2:tcp_socket { read write };
+
+ ifdef(`distro_gentoo',`
+ gen_require(`
+ type java_home_t;
+ ')
+
+ manage_files_pattern($2, java_home_t, java_home_t)
+ manage_dirs_pattern($2, java_home_t, java_home_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The role template for the java module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`java_role_template',`
+ gen_require(`
+ attribute java_domain;
+ type java_exec_t, java_tmp_t, java_tmpfs_t;
+ type java_home_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_java_t, java_domain;
+ userdom_user_application_domain($1_java_t, java_exec_t)
+
+ role $2 types $1_java_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($3, java_exec_t, $1_java_t)
+
+ allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms };
+ ps_process_pattern($3, $1_java_t)
+
+ allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { java_tmp_t java_tmpfs_t java_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $3 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $3 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_user_home_dir_filetrans($3, java_home_t, dir, ".java")
+
+ allow $1_java_t $3:process signull;
+ allow $1_java_t $3:unix_stream_socket connectto;
+ allow $1_java_t $3:unix_stream_socket { read write };
+ allow $1_java_t $3:tcp_socket { read write };
+
+ corecmd_bin_domtrans($1_java_t, $3)
+
+ auth_use_nsswitch($1_java_t)
+
+ optional_policy(`
+ xserver_role($2, $1_java_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+template(`java_domtrans',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, java_exec_t, java_t)
+
+ ifdef(`distro_gentoo',`
+ # /usr/bin/java is a symlink
+ files_read_usr_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`java_run',`
+ gen_require(`
+ attribute_role java_roles;
+ ')
+
+ java_domtrans($1)
+ roleattribute $2 java_roles;
+')
+
+########################################
+## <summary>
+## Execute the java program in the
+## unconfined java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`java_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_java_t, java_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, java_exec_t, unconfined_java_t)
+')
+
+########################################
+## <summary>
+## Execute the java program in the
+## unconfined java domain and allow the
+## specified role the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`java_run_unconfined',`
+ gen_require(`
+ attribute_role unconfined_java_roles;
+ ')
+
+ java_domtrans_unconfined($1)
+ roleattribute $2 unconfined_java_roles;
+')
+
+########################################
+## <summary>
+## Execute the java program in
+## the callers domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_exec',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, java_exec_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic java home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_manage_generic_home_content',`
+ gen_require(`
+ type java_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 java_home_t:dir manage_dir_perms;
+ allow $1 java_home_t:file manage_file_perms;
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete
+## temporary java content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_manage_java_tmp',`
+ gen_require(`
+ type java_tmp_t;
+ ')
+
+ allow $1 java_tmp_t:dir manage_dir_perms;
+ allow $1 java_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in user home
+## directories with the generic java
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`java_home_filetrans_java_home',`
+ gen_require(`
+ type java_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, java_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Run java in javaplugin domain and
+## do not clean the environment (atsecure)
+## </summary>
+## <desc>
+## <p>
+## This is needed when java is called by an application with library
+## settings (such as is the case when invoked as a browser plugin)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+template(`java_noatsecure_domtrans',`
+ gen_require(`
+ type java_t;
+ ')
+
+ allow $1 java_t:process noatsecure;
+
+ java_domtrans($1)
+')
+
+# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately
+
+#######################################
+## <summary>
+## The template for using java in a domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the domain to be given java privs.
+## </summary>
+## </param>
+#
+template(`java_domain_type',`
+ gen_require(`
+ attribute java_domain;
+ ')
+
+ ########################################
+ #
+ # Policy
+ #
+
+ typeattribute $1 java_domain;
+
+ # cannot be called on the attribute, so do it now
+ auth_use_nsswitch($1)
+')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
new file mode 100644
index 00000000..c9b2487e
--- /dev/null
+++ b/policy/modules/apps/java.te
@@ -0,0 +1,202 @@
+policy_module(java, 2.11.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether java can make
+## its stack executable.
+## </p>
+## </desc>
+gen_tunable(allow_java_execstack, false)
+
+attribute java_domain;
+
+attribute_role java_roles;
+roleattribute system_r java_roles;
+
+attribute_role unconfined_java_roles;
+
+type java_t, java_domain;
+type java_exec_t;
+userdom_user_application_domain(java_t, java_exec_t)
+typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+role java_roles types java_t;
+
+optional_policy(`
+ wm_application_domain(java_t, java_exec_t)
+')
+
+type java_home_t;
+userdom_user_home_content(java_home_t)
+
+type java_tmp_t;
+userdom_user_tmp_file(java_tmp_t)
+typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
+typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+
+type java_tmpfs_t;
+userdom_user_tmpfs_file(java_tmpfs_t)
+typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+type unconfined_java_t;
+init_system_domain(unconfined_java_t, java_exec_t)
+role unconfined_java_roles types unconfined_java_t;
+
+########################################
+#
+# Common local policy
+#
+
+allow java_domain self:process { signal_perms getsched setsched };
+allow java_domain self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(java_domain, java_home_t, java_home_t)
+manage_files_pattern(java_domain, java_home_t, java_home_t)
+userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".java")
+
+manage_dirs_pattern(java_domain, java_tmp_t, java_tmp_t)
+manage_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+files_tmp_filetrans(java_domain, java_tmp_t, { file dir })
+
+manage_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t)
+manage_lnk_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t)
+manage_fifo_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t)
+manage_sock_files_pattern(java_domain, java_tmpfs_t, java_tmpfs_t)
+fs_tmpfs_filetrans(java_domain, java_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(java_domain, { java_exec_t java_tmp_t })
+
+kernel_read_all_sysctls(java_domain)
+kernel_search_vm_sysctl(java_domain)
+kernel_read_network_state(java_domain)
+kernel_read_system_state(java_domain)
+
+corecmd_search_bin(java_domain)
+
+corenet_all_recvfrom_unlabeled(java_domain)
+corenet_all_recvfrom_netlabel(java_domain)
+corenet_tcp_sendrecv_generic_if(java_domain)
+corenet_tcp_sendrecv_generic_node(java_domain)
+
+corenet_sendrecv_all_client_packets(java_domain)
+corenet_tcp_connect_all_ports(java_domain)
+corenet_tcp_sendrecv_all_ports(java_domain)
+
+dev_read_sound(java_domain)
+dev_write_sound(java_domain)
+dev_read_urand(java_domain)
+dev_read_rand(java_domain)
+dev_dontaudit_append_rand(java_domain)
+
+files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
+files_read_etc_runtime_files(java_domain)
+
+fs_getattr_all_fs(java_domain)
+fs_dontaudit_rw_tmpfs_files(java_domain)
+
+logging_send_syslog_msg(java_domain)
+
+miscfiles_read_generic_certs(java_domain)
+miscfiles_read_localization(java_domain)
+miscfiles_read_fonts(java_domain)
+
+userdom_dontaudit_use_user_terminals(java_domain)
+userdom_dontaudit_exec_user_home_content_files(java_domain)
+
+userdom_user_content_access_template(java, java_domain)
+userdom_write_user_tmp_sockets(java_domain)
+
+tunable_policy(`java_manage_generic_user_content',`
+ userdom_manage_user_home_content_pipes(java_domain)
+ userdom_manage_user_home_content_sockets(java_domain)
+ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
+')
+
+ifdef(`distro_gentoo',`
+ # For java browser plugin accessing internet resources
+ allow java_domain self:netlink_route_socket create_netlink_socket_perms;
+ allow java_domain self:sem create_sem_perms;
+
+ manage_dirs_pattern(java_domain, java_home_t, java_home_t)
+ manage_files_pattern(java_domain, java_home_t, java_home_t)
+ userdom_user_home_dir_filetrans(java_domain, java_home_t, dir, ".icedtea")
+
+ manage_lnk_files_pattern(java_domain, java_tmp_t, java_tmp_t)
+ files_tmp_filetrans(java_domain, java_tmp_t, lnk_file)
+')
+
+tunable_policy(`allow_java_execstack',`
+ allow java_domain self:process { execmem execstack };
+
+ libs_legacy_use_shared_libs(java_domain)
+ libs_legacy_use_ld_so(java_domain)
+
+ miscfiles_legacy_read_localization(java_domain)
+')
+
+########################################
+#
+# Local policy
+#
+
+auth_use_nsswitch(java_t)
+
+ifdef(`distro_gentoo',`
+ userdom_use_user_terminals(java_t)
+
+ optional_policy(`
+ # Plugin communication
+ chromium_rw_tmp_pipes(java_t)
+ ')
+
+ optional_policy(`
+ # Plugin communication
+ mozilla_rw_tmp_pipes(java_t)
+ ')
+
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(java_t, java_tmpfs_t)
+ ')
+ ')
+')
+
+corecmd_search_bin(java_t)
+
+dev_read_sysfs(java_t)
+
+locallogin_use_fds(java_t)
+
+userdom_read_user_tmp_files(java_t)
+userdom_use_user_terminals(java_t)
+
+optional_policy(`
+ xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined local policy
+#
+
+optional_policy(`
+ allow unconfined_java_t self:process { execstack execmem execheap };
+
+ files_execmod_all_files(unconfined_java_t)
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
+
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
+ ')
+')
diff --git a/policy/modules/apps/libmtp.fc b/policy/modules/apps/libmtp.fc
new file mode 100644
index 00000000..f8b91c24
--- /dev/null
+++ b/policy/modules/apps/libmtp.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+
+/usr/bin/mtp-.* -- gen_context(system_u:object_r:libmtp_exec_t,s0)
diff --git a/policy/modules/apps/libmtp.if b/policy/modules/apps/libmtp.if
new file mode 100644
index 00000000..c010842d
--- /dev/null
+++ b/policy/modules/apps/libmtp.if
@@ -0,0 +1,30 @@
+## <summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
+
+###########################################################
+## <summary>
+## Role access for libmtp.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`libmtp_role',`
+ gen_require(`
+ attribute_role libmtp_roles;
+ type libmtp_t, libmtp_exec_t;
+ ')
+
+ roleattribute $1 libmtp_roles;
+
+ domtrans_pattern($2, libmtp_exec_t, libmtp_t)
+
+ allow $2 libmtp_t:process { ptrace signal_perms };
+ ps_process_pattern($2, libmtp_t)
+')
diff --git a/policy/modules/apps/libmtp.te b/policy/modules/apps/libmtp.te
new file mode 100644
index 00000000..7eb27c40
--- /dev/null
+++ b/policy/modules/apps/libmtp.te
@@ -0,0 +1,60 @@
+policy_module(libmtp, 1.1.0)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether libmtp can read
+## and manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(libmtp_enable_home_dirs, false)
+
+attribute_role libmtp_roles;
+
+type libmtp_t;
+type libmtp_exec_t;
+userdom_user_application_domain(libmtp_t, libmtp_exec_t)
+role libmtp_roles types libmtp_t;
+
+type libmtp_home_t;
+userdom_user_home_content(libmtp_home_t)
+
+##############################
+#
+# libmtp local policy
+#
+
+allow libmtp_t self:capability sys_tty_config;
+allow libmtp_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow libmtp_t self:fifo_file rw_fifo_file_perms;
+
+allow libmtp_t libmtp_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(libmtp_t, libmtp_home_t, file, ".mtpz-data")
+
+dev_read_sysfs(libmtp_t)
+dev_rw_generic_usb_dev(libmtp_t)
+
+domain_use_interactive_fds(libmtp_t)
+
+files_read_etc_files(libmtp_t)
+
+term_use_unallocated_ttys(libmtp_t)
+
+miscfiles_read_localization(libmtp_t)
+
+userdom_use_inherited_user_terminals(libmtp_t)
+
+optional_policy(`
+ udev_read_pid_files(libmtp_t)
+')
+
+tunable_policy(`libmtp_enable_home_dirs',`
+ userdom_manage_user_home_content_files(libmtp_t)
+ userdom_read_user_home_content_symlinks(libmtp_t)
+ userdom_user_home_dir_filetrans_user_home_content(libmtp_t, file )
+')
diff --git a/policy/modules/apps/lightsquid.fc b/policy/modules/apps/lightsquid.fc
new file mode 100644
index 00000000..044390c6
--- /dev/null
+++ b/policy/modules/apps/lightsquid.fc
@@ -0,0 +1,11 @@
+/etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0)
+
+/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+
+/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0)
+
+/var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
+
+/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0)
+/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0)
diff --git a/policy/modules/apps/lightsquid.if b/policy/modules/apps/lightsquid.if
new file mode 100644
index 00000000..33a28b9a
--- /dev/null
+++ b/policy/modules/apps/lightsquid.if
@@ -0,0 +1,80 @@
+## <summary>Log analyzer for squid proxy.</summary>
+
+########################################
+## <summary>
+## Execute the lightsquid program in
+## the lightsquid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lightsquid_domtrans',`
+ gen_require(`
+ type lightsquid_t, lightsquid_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lightsquid_exec_t, lightsquid_t)
+')
+
+########################################
+## <summary>
+## Execute lightsquid in the
+## lightsquid domain, and allow the
+## specified role the lightsquid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`lightsquid_run',`
+ gen_require(`
+ attribute_role lightsquid_roles;
+ ')
+
+ lightsquid_domtrans($1)
+ roleattribute $2 lightsquid_roles;
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an lightsquid environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lightsquid_admin',`
+ gen_require(`
+ type lightsquid_t, lightsquid_rw_content_t;
+ ')
+
+ allow $1 lightsquid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, lightsquid_t)
+
+ lightsquid_run($1, $2)
+
+ files_search_var_lib($1)
+ admin_pattern($1, lightsquid_rw_content_t)
+
+ apache_list_sys_content($1)
+')
diff --git a/policy/modules/apps/lightsquid.te b/policy/modules/apps/lightsquid.te
new file mode 100644
index 00000000..09c4f27b
--- /dev/null
+++ b/policy/modules/apps/lightsquid.te
@@ -0,0 +1,52 @@
+policy_module(lightsquid, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role lightsquid_roles;
+roleattribute system_r lightsquid_roles;
+
+type lightsquid_t;
+type lightsquid_exec_t;
+application_domain(lightsquid_t, lightsquid_exec_t)
+role lightsquid_roles types lightsquid_t;
+
+type lightsquid_rw_content_t;
+files_type(lightsquid_rw_content_t)
+
+########################################
+#
+# Local policy
+#
+
+manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir)
+
+corecmd_exec_bin(lightsquid_t)
+corecmd_exec_shell(lightsquid_t)
+
+dev_read_urand(lightsquid_t)
+
+files_read_etc_files(lightsquid_t)
+files_read_usr_files(lightsquid_t)
+
+miscfiles_read_localization(lightsquid_t)
+
+squid_read_config(lightsquid_t)
+squid_read_log(lightsquid_t)
+
+optional_policy(`
+ apache_content_template(lightsquid)
+
+ list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+ read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+ read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t)
+')
+
+optional_policy(`
+ cron_system_entry(lightsquid_t, lightsquid_exec_t)
+')
diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc
new file mode 100644
index 00000000..34937fcf
--- /dev/null
+++ b/policy/modules/apps/livecd.fc
@@ -0,0 +1 @@
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
new file mode 100644
index 00000000..e3541811
--- /dev/null
+++ b/policy/modules/apps/livecd.if
@@ -0,0 +1,102 @@
+## <summary>Tool for building alternate livecd for different os and policy versions.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+ gen_require(`
+ type livecd_t, livecd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+########################################
+## <summary>
+## Execute livecd in the livecd
+## domain, and allow the specified
+## role the livecd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_run',`
+ gen_require(`
+ attribute_role livecd_roles;
+ ')
+
+ livecd_domtrans($1)
+ roleattribute $2 livecd_roles;
+')
+
+########################################
+## <summary>
+## Read livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_read_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write livecd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_semaphores',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ allow $1 livecd_t:sem rw_sem_perms;
+')
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
new file mode 100644
index 00000000..2f974bf8
--- /dev/null
+++ b/policy/modules/apps/livecd.te
@@ -0,0 +1,48 @@
+policy_module(livecd, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role livecd_roles;
+roleattribute system_r livecd_roles;
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role livecd_roles types livecd_t;
+
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit livecd_t self:capability2 mac_admin;
+
+domain_ptrace_all_domains(livecd_t)
+
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+sysnet_manage_config(livecd_t)
+sysnet_etc_filetrans_config(livecd_t)
+
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
+optional_policy(`
+ mount_run(livecd_t, livecd_roles)
+')
+
+optional_policy(`
+ rpm_domtrans(livecd_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(livecd_t)
+')
diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc
new file mode 100644
index 00000000..38f91fed
--- /dev/null
+++ b/policy/modules/apps/loadkeys.fc
@@ -0,0 +1,2 @@
+/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
new file mode 100644
index 00000000..101c925d
--- /dev/null
+++ b/policy/modules/apps/loadkeys.if
@@ -0,0 +1,67 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+## Execute the loadkeys program in
+## the loadkeys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`loadkeys_domtrans',`
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
+')
+
+########################################
+## <summary>
+## Execute the loadkeys program in
+## the loadkeys domain, and allow the
+## specified role the loadkeys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`loadkeys_run',`
+ gen_require(`
+ attribute_role loadkeys_roles;
+ ')
+
+ loadkeys_domtrans($1)
+ roleattribute $2 loadkeys_roles;
+')
+
+########################################
+## <summary>
+## Execute the loadkeys in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`loadkeys_exec',`
+ gen_require(`
+ type loadkeys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, loadkeys_exec_t)
+')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
new file mode 100644
index 00000000..1976e2cb
--- /dev/null
+++ b/policy/modules/apps/loadkeys.te
@@ -0,0 +1,57 @@
+policy_module(loadkeys, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role loadkeys_roles;
+
+type loadkeys_t;
+type loadkeys_exec_t;
+init_system_domain(loadkeys_t, loadkeys_exec_t)
+role loadkeys_roles types loadkeys_t;
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+allow loadkeys_t self:unix_stream_socket { connect create };
+
+kernel_read_system_state(loadkeys_t)
+
+init_use_fds(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_read_etc_files(loadkeys_t)
+files_read_etc_runtime_files(loadkeys_t)
+# keymap files are in /usr/share/keymaps or /usr/share/kbd/keymaps
+files_read_usr_files(loadkeys_t)
+files_search_pids(loadkeys_t)
+files_search_src(loadkeys_t)
+files_search_tmp(loadkeys_t)
+
+term_dontaudit_use_console(loadkeys_t)
+term_use_unallocated_ttys(loadkeys_t)
+
+init_read_script_tmp_files(loadkeys_t)
+
+locallogin_use_fds(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)
+
+userdom_use_user_ttys(loadkeys_t)
+userdom_list_user_home_content(loadkeys_t)
+
+optional_policy(`
+ keyboardd_read_pipes(loadkeys_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+')
diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc
new file mode 100644
index 00000000..65ed30df
--- /dev/null
+++ b/policy/modules/apps/lockdev.fc
@@ -0,0 +1,5 @@
+/usr/bin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
+
+/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
+
+/var/lock/lockdev(/.*)? gen_context(system_u:object_r:lockdev_lock_t,s0)
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
new file mode 100644
index 00000000..4313b8bc
--- /dev/null
+++ b/policy/modules/apps/lockdev.if
@@ -0,0 +1,42 @@
+## <summary>Library for locking devices.</summary>
+
+########################################
+## <summary>
+## Role access for lockdev.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`lockdev_role',`
+ gen_require(`
+ attribute_role lockdev_roles;
+ type lockdev_t, lockdev_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 lockdev_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, lockdev_exec_t, lockdev_t)
+
+ allow $2 lockdev_t:process { ptrace signal_perms };
+ ps_process_pattern($2, lockdev_t)
+
+ allow lockdev_t $2:process signull;
+')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
new file mode 100644
index 00000000..b9c34625
--- /dev/null
+++ b/policy/modules/apps/lockdev.te
@@ -0,0 +1,39 @@
+policy_module(lockdev, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role lockdev_roles;
+
+type lockdev_t;
+type lockdev_exec_t;
+typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
+typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
+userdom_user_application_domain(lockdev_t, lockdev_exec_t)
+role lockdev_roles types lockdev_t;
+
+type lockdev_lock_t;
+typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
+typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
+files_lock_file(lockdev_lock_t)
+ubac_constrained(lockdev_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+allow lockdev_t self:capability setgid;
+
+manage_files_pattern(lockdev_t, lockdev_lock_t, lockdev_lock_t)
+files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
+
+files_read_all_locks(lockdev_t)
+
+fs_getattr_xattr_fs(lockdev_t)
+
+logging_send_syslog_msg(lockdev_t)
+
+userdom_use_user_terminals(lockdev_t)
diff --git a/policy/modules/apps/man2html.fc b/policy/modules/apps/man2html.fc
new file mode 100644
index 00000000..82f62555
--- /dev/null
+++ b/policy/modules/apps/man2html.fc
@@ -0,0 +1,5 @@
+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0)
+
+/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
diff --git a/policy/modules/apps/man2html.if b/policy/modules/apps/man2html.if
new file mode 100644
index 00000000..54ec04d3
--- /dev/null
+++ b/policy/modules/apps/man2html.if
@@ -0,0 +1 @@
+## <summary>A Unix manpage-to-HTML converter.</summary>
diff --git a/policy/modules/apps/man2html.te b/policy/modules/apps/man2html.te
new file mode 100644
index 00000000..e08c55d4
--- /dev/null
+++ b/policy/modules/apps/man2html.te
@@ -0,0 +1,26 @@
+policy_module(man2html, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(man2html)
+
+type httpd_man2html_script_cache_t;
+files_type(httpd_man2html_script_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
+files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
+
+files_read_etc_files(httpd_man2html_script_t)
+
+miscfiles_read_localization(httpd_man2html_script_t)
+miscfiles_read_man_pages(httpd_man2html_script_t)
diff --git a/policy/modules/apps/mandb.fc b/policy/modules/apps/mandb.fc
new file mode 100644
index 00000000..d92a58fd
--- /dev/null
+++ b/policy/modules/apps/mandb.fc
@@ -0,0 +1,3 @@
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
+
+/usr/lib/systemd/system/[^/]*man-db.* -- gen_context(system_u:object_r:mandb_unit_t,s0)
diff --git a/policy/modules/apps/mandb.if b/policy/modules/apps/mandb.if
new file mode 100644
index 00000000..e880655d
--- /dev/null
+++ b/policy/modules/apps/mandb.if
@@ -0,0 +1,74 @@
+## <summary>On-line manual database.</summary>
+
+########################################
+## <summary>
+## Execute the mandb program in
+## the mandb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mandb_domtrans',`
+ gen_require(`
+ type mandb_t, mandb_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mandb_exec_t, mandb_t)
+')
+
+########################################
+## <summary>
+## Execute mandb in the mandb
+## domain, and allow the specified
+## role the mandb domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mandb_run',`
+ gen_require(`
+ attribute_role mandb_roles;
+ ')
+
+ mandb_domtrans($1)
+ roleattribute $2 mandb_roles;
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an mandb environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mandb_admin',`
+ gen_require(`
+ type mandb_t;
+ ')
+
+ admin_process_pattern($1, mandb_t)
+
+ mandb_run($1, $2)
+')
diff --git a/policy/modules/apps/mandb.te b/policy/modules/apps/mandb.te
new file mode 100644
index 00000000..48c17bb8
--- /dev/null
+++ b/policy/modules/apps/mandb.te
@@ -0,0 +1,63 @@
+policy_module(mandb, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role mandb_roles;
+roleattribute system_r mandb_roles;
+
+type mandb_t;
+type mandb_exec_t;
+init_system_domain(mandb_t, mandb_exec_t)
+role mandb_roles types mandb_t;
+
+type mandb_unit_t;
+init_unit_file(mandb_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+# dac_override : write /var/cache/man/*
+# fowner : chmod /var/cache/man/*
+# chown : lchown32 /var/cache/man/*
+# fsetid : chmod /var/cache/man/*
+allow mandb_t self:capability { chown dac_override fowner fsetid setgid setuid };
+allow mandb_t self:process { setsched signal };
+allow mandb_t self:fifo_file rw_fifo_file_perms;
+allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(mandb_t)
+kernel_read_system_state(mandb_t)
+
+corecmd_exec_bin(mandb_t)
+corecmd_exec_shell(mandb_t)
+
+domain_use_interactive_fds(mandb_t)
+
+files_dontaudit_search_home(mandb_t)
+files_read_etc_files(mandb_t)
+# /usr/local/man
+files_read_usr_symlinks(mandb_t)
+# search /var/run/nscd/socket
+files_search_pids(mandb_t)
+
+fs_getattr_xattr_fs(mandb_t)
+
+miscfiles_manage_man_cache(mandb_t)
+miscfiles_map_man_cache(mandb_t)
+miscfiles_read_man_pages(mandb_t)
+miscfiles_read_localization(mandb_t)
+
+userdom_use_inherited_user_terminals(mandb_t)
+
+ifdef(`init_systemd',`
+ init_search_run(mandb_t)
+')
+
+optional_policy(`
+ cron_system_entry(mandb_t, mandb_exec_t)
+')
diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc
new file mode 100644
index 00000000..b01bc913
--- /dev/null
+++ b/policy/modules/apps/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
new file mode 100644
index 00000000..70fe6457
--- /dev/null
+++ b/policy/modules/apps/mono.if
@@ -0,0 +1,149 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+#######################################
+## <summary>
+## The role template for the mono module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mono applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mono_role_template',`
+ gen_require(`
+ attribute mono_domain;
+ type mono_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_mono_t, mono_domain;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+ application_type($1_mono_t)
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+ allow $3 $1_mono_t:process { ptrace noatsecure signal_perms };
+ ps_process_pattern($2, $1_mono_t)
+
+ corecmd_bin_domtrans($1_mono_t, $3)
+
+ userdom_manage_user_tmpfs_files($1_mono_t)
+
+ optional_policy(`
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+
+ xserver_role($1_r, $1_mono_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute mono in the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mono_domtrans',`
+ gen_require(`
+ type mono_t, mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mono_exec_t, mono_t)
+')
+
+########################################
+## <summary>
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_run',`
+ gen_require(`
+ attribute_role mono_roles;
+ ')
+
+ mono_domtrans($1)
+ roleattribute $2 mono_roles;
+')
+
+########################################
+## <summary>
+## Execute mono in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_exec',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, mono_exec_t)
+')
+
+########################################
+## <summary>
+## Read and write mono shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
new file mode 100644
index 00000000..3bb756a5
--- /dev/null
+++ b/policy/modules/apps/mono.te
@@ -0,0 +1,67 @@
+policy_module(mono, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mono_domain;
+
+attribute_role mono_roles;
+
+type mono_t, mono_domain;
+type mono_exec_t;
+init_system_domain(mono_t, mono_exec_t)
+role mono_roles types mono_t;
+
+application_type(mono_t)
+
+optional_policy(`
+ wm_application_domain(mono_t, mono_exec_t)
+')
+
+########################################
+#
+# Common local policy
+#
+
+allow mono_domain self:process { signal getsched execheap execmem execstack };
+
+########################################
+#
+# local policy
+#
+
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+
+init_dbus_chat_script(mono_t)
+
+optional_policy(`
+ avahi_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ cups_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ unconfined_domain(mono_t)
+ unconfined_dbus_chat(mono_t)
+ unconfined_dbus_connect(mono_t)
+')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
+')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
new file mode 100644
index 00000000..15aa39b3
--- /dev/null
+++ b/policy/modules/apps/mozilla.fc
@@ -0,0 +1,50 @@
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_xdg_cache_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.vimperator.* gen_context(system_u:object_r:mozilla_home_t,s0)
+
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
+
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/iceweasel/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/firefox-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/opt/firefox/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/firefox/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/run-mozilla\.sh -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/opt/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
new file mode 100644
index 00000000..178d68d8
--- /dev/null
+++ b/policy/modules/apps/mozilla.if
@@ -0,0 +1,638 @@
+## <summary>Policy for Mozilla and related web browsers.</summary>
+
+########################################
+## <summary>
+## Role access for mozilla.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`mozilla_role',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t, mozilla_home_t;
+ type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
+ type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
+ attribute_role mozilla_roles;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 mozilla_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+ ps_process_pattern($2, mozilla_t)
+
+ allow mozilla_t $2:process signull;
+ allow mozilla_t $2:unix_stream_socket connectto;
+
+ allow $2 mozilla_t:fd use;
+ allow $2 mozilla_t:shm rw_shm_perms;
+
+ stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
+
+ allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+
+ filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+
+ allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+
+ allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ optional_policy(`
+ mozilla_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for mozilla plugin.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
+ type mozilla_home_t;
+ ')
+
+ mozilla_run_plugin($2, $1)
+ mozilla_run_plugin_config($2, $1)
+
+ allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
+ ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
+
+ allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
+ allow $2 mozilla_plugin_t:fd use;
+
+ stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
+
+ allow mozilla_plugin_t $2:process signull;
+ allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
+ allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
+ allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
+ allow mozilla_plugin_t $2:sem create_sem_perms;
+
+ allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
+ userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
+
+ allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+
+ allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
+ allow $2 mozilla_plugin_rw_t:file read_file_perms;
+ allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+
+ can_exec($2, mozilla_plugin_rw_t)
+
+ optional_policy(`
+ mozilla_dbus_chat_plugin($2)
+ ')
+')
+
+########################################
+## <summary>
+## Read mozilla home directory content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_read_user_home',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ list_dirs_pattern($1, mozilla_home_t, mozilla_home_t)
+ read_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+## Read mozilla home directory files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_read_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Write mozilla home directory files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_write_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write mozilla home directory files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_dontaudit_rw_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ dontaudit $1 mozilla_home_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempt to Create,
+## read, write, and delete mozilla
+## home directory content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_dontaudit_manage_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+ dontaudit $1 mozilla_home_t:file manage_file_perms;
+ dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Execute mozilla plugin home directory files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_exec_user_plugin_home_files',`
+ gen_require(`
+ type mozilla_home_t, mozilla_plugin_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+')
+
+########################################
+## <summary>
+## Mozilla plugin home directory file
+## text relocation.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_execmod_user_plugin_home_files',`
+ gen_require(`
+ type mozilla_plugin_home_t;
+ ')
+
+ allow $1 mozilla_plugin_home_t:file execmod;
+')
+
+#######################################
+## <summary>
+## Read temporary mozilla files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_read_tmp_files',`
+ gen_require(`
+ type mozilla_tmp_t;
+ ')
+
+ read_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t)
+')
+
+########################################
+## <summary>
+## Run mozilla in the mozilla domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to
+## run mozilla plugin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+')
+
+########################################
+## <summary>
+## Execute mozilla plugin in the
+## mozilla plugin domain, and allow
+## the specified role the mozilla
+## plugin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_run_plugin',`
+ gen_require(`
+ attribute_role mozilla_plugin_roles;
+ ')
+
+ mozilla_domtrans_plugin($1)
+ roleattribute $2 mozilla_plugin_roles;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to
+## run mozilla plugin config.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans_plugin_config',`
+ gen_require(`
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
+')
+
+########################################
+## <summary>
+## Execute mozilla plugin config in
+## the mozilla plugin config domain,
+## and allow the specified role the
+## mozilla plugin config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_run_plugin_config',`
+ gen_require(`
+ attribute_role mozilla_plugin_config_roles;
+ ')
+
+ mozilla_domtrans_plugin_config($1)
+ roleattribute $2 mozilla_plugin_config_roles;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## mozilla over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_dbus_chat',`
+ gen_require(`
+ type mozilla_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 mozilla_t:dbus send_msg;
+ allow mozilla_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## mozilla plugin over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_dbus_chat_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 mozilla_plugin_t:dbus send_msg;
+ allow mozilla_plugin_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write mozilla TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_rw_tcp_sockets',`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mozilla plugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_manage_plugin_rw_files',`
+ gen_require(`
+ type mozilla_plugin_rw_t;
+ ')
+
+ libs_search_lib($1)
+ manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+')
+
+########################################
+## <summary>
+## Read mozilla_plugin tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Delete mozilla_plugin tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_delete_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Read/write to mozilla's tmp fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_rw_tmp_pipes',`
+ gen_require(`
+ type mozilla_tmp_t;
+ ')
+
+ rw_fifo_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic mozilla plugin home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_manage_generic_plugin_home_content',`
+ gen_require(`
+ type mozilla_plugin_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
+ allow $1 mozilla_plugin_home_t:file manage_file_perms;
+ allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the generic mozilla
+## plugin home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`mozilla_home_filetrans_plugin_home',`
+ gen_require(`
+ type mozilla_plugin_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
+')
+
+# This is gentoo specific but cannot use ifdef distro_gentoo
+
+########################################
+## <summary>
+## Do not audit use of mozilla file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dont audit access from
+## </summary>
+## </param>
+#
+interface(`mozilla_dontaudit_use_fds',`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ dontaudit $1 mozilla_t:fd use;
+')
+
+########################################
+## <summary>
+## Send messages to mozilla plugin unix datagram sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_send_dgram_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ allow $1 mozilla_plugin_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
new file mode 100644
index 00000000..807d3431
--- /dev/null
+++ b/policy/modules/apps/mozilla.te
@@ -0,0 +1,833 @@
+policy_module(mozilla, 2.13.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether mozilla can
+## make its stack executable.
+## </p>
+## </desc>
+gen_tunable(mozilla_execstack, false)
+
+attribute_role mozilla_roles;
+attribute_role mozilla_plugin_roles;
+attribute_role mozilla_plugin_config_roles;
+
+type mozilla_t;
+type mozilla_exec_t;
+typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+userdom_user_application_domain(mozilla_t, mozilla_exec_t)
+role mozilla_roles types mozilla_t;
+
+optional_policy(`
+ wm_application_domain(mozilla_t, mozilla_exec_t)
+')
+
+type mozilla_home_t;
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+userdom_user_home_content(mozilla_home_t)
+
+type mozilla_plugin_t;
+type mozilla_plugin_exec_t;
+userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role mozilla_plugin_roles types mozilla_plugin_t;
+
+type mozilla_plugin_home_t;
+userdom_user_home_content(mozilla_plugin_home_t)
+
+type mozilla_plugin_tmp_t;
+userdom_user_tmp_file(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
+userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
+')
+
+type mozilla_plugin_rw_t;
+files_type(mozilla_plugin_rw_t)
+
+type mozilla_plugin_config_t;
+type mozilla_plugin_config_exec_t;
+userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+role mozilla_plugin_config_roles types mozilla_plugin_config_t;
+
+type mozilla_tmp_t;
+userdom_user_tmp_file(mozilla_tmp_t)
+
+type mozilla_tmpfs_t;
+typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
+typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+userdom_user_tmpfs_file(mozilla_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(mozilla_tmpfs_t)
+')
+
+type mozilla_xdg_cache_t;
+xdg_cache_content(mozilla_xdg_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mozilla_t self:capability { setgid setuid sys_nice };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_t self:shm create_shm_perms;
+allow mozilla_t self:sem create_sem_perms;
+allow mozilla_t self:socket create_socket_perms;
+allow mozilla_t self:unix_stream_socket { accept listen };
+
+allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
+allow mozilla_t mozilla_plugin_t:fd use;
+
+allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
+allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
+allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
+
+filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+
+manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+allow mozilla_t mozilla_tmp_t:file map;
+files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
+
+manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+allow mozilla_t mozilla_plugin_tmpfs_t:file map;
+
+allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
+allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
+allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+
+stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
+
+manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
+
+can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
+
+kernel_read_kernel_sysctls(mozilla_t)
+kernel_read_network_state(mozilla_t)
+kernel_read_system_state(mozilla_t)
+kernel_read_net_sysctls(mozilla_t)
+
+corecmd_list_bin(mozilla_t)
+corecmd_exec_shell(mozilla_t)
+corecmd_exec_bin(mozilla_t)
+
+corenet_all_recvfrom_unlabeled(mozilla_t)
+corenet_all_recvfrom_netlabel(mozilla_t)
+corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_tcp_sendrecv_generic_node(mozilla_t)
+
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_sendrecv_http_port(mozilla_t)
+
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_sendrecv_squid_port(mozilla_t)
+
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_t)
+
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_t)
+
+corenet_sendrecv_soundd_client_packets(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
+corenet_tcp_sendrecv_soundd_port(mozilla_t)
+
+corenet_sendrecv_speech_client_packets(mozilla_t)
+corenet_tcp_connect_speech_port(mozilla_t)
+corenet_tcp_sendrecv_speech_port(mozilla_t)
+
+dev_getattr_sysfs_dirs(mozilla_t)
+dev_read_sysfs(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_read_rand(mozilla_t)
+dev_read_urand(mozilla_t)
+dev_rw_dri(mozilla_t)
+dev_write_sound(mozilla_t)
+
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
+files_read_etc_runtime_files(mozilla_t)
+files_map_usr_files(mozilla_t)
+files_read_usr_files(mozilla_t)
+files_read_var_files(mozilla_t)
+files_read_var_lib_files(mozilla_t)
+files_read_var_symlinks(mozilla_t)
+files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+fs_getattr_all_fs(mozilla_t)
+fs_search_auto_mountpoints(mozilla_t)
+fs_list_inotifyfs(mozilla_t)
+fs_rw_tmpfs_files(mozilla_t)
+
+term_dontaudit_getattr_pty_dirs(mozilla_t)
+
+auth_use_nsswitch(mozilla_t)
+
+logging_send_syslog_msg(mozilla_t)
+
+miscfiles_read_fonts(mozilla_t)
+miscfiles_read_generic_certs(mozilla_t)
+miscfiles_read_localization(mozilla_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
+
+userdom_use_user_ptys(mozilla_t)
+
+userdom_manage_user_tmp_dirs(mozilla_t)
+userdom_manage_user_tmp_files(mozilla_t)
+
+userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
+userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
+
+userdom_write_user_tmp_sockets(mozilla_t)
+
+mozilla_run_plugin(mozilla_t, mozilla_roles)
+mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+
+xdg_read_config_files(mozilla_t)
+xdg_read_data_files(mozilla_t)
+xdg_manage_downloads(mozilla_t)
+
+xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+ifndef(`enable_mls',`
+ fs_list_dos(mozilla_t)
+ fs_read_dos_files(mozilla_t)
+
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+
+ fs_read_iso9660_files(mozilla_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_t self:process execmem;
+')
+
+tunable_policy(`mozilla_execstack',`
+ allow mozilla_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_t)
+ fs_manage_nfs_files(mozilla_t)
+ fs_manage_nfs_symlinks(mozilla_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_t)
+ fs_manage_cifs_files(mozilla_t)
+ fs_manage_cifs_symlinks(mozilla_t)
+')
+
+optional_policy(`
+ alsa_read_config(mozilla_t)
+ alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
+ apache_read_user_scripts(mozilla_t)
+ apache_read_user_content(mozilla_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(mozilla_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(mozilla_t)
+ cups_stream_connect(mozilla_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(mozilla_t)
+ dbus_connect_all_session_bus(mozilla_t)
+ dbus_system_bus_client(mozilla_t)
+
+ optional_policy(`
+ cups_dbus_chat(mozilla_t)
+ ')
+
+ optional_policy(`
+ mozilla_dbus_chat_plugin(mozilla_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+ ')
+')
+
+optional_policy(`
+ evolution_domtrans(mozilla_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(mozilla_t)
+ gnome_manage_generic_gconf_home_content(mozilla_t)
+ gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
+ gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
+ gnome_manage_generic_home_content(mozilla_t)
+ gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
+ gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
+ gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+')
+
+optional_policy(`
+ java_exec(mozilla_t)
+ java_manage_generic_home_content(mozilla_t)
+ java_manage_java_tmp(mozilla_t)
+ java_home_filetrans_java_home(mozilla_t, dir, ".java")
+')
+
+optional_policy(`
+ lpd_run_lpr(mozilla_t, mozilla_roles)
+')
+
+optional_policy(`
+ mplayer_exec(mozilla_t)
+ mplayer_manage_generic_home_content(mozilla_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
+')
+
+optional_policy(`
+ ooffice_domtrans(mozilla_t)
+ ooffice_rw_tmp_files(mozilla_t)
+')
+
+optional_policy(`
+ pulseaudio_run(mozilla_t, mozilla_roles)
+')
+
+optional_policy(`
+ thunderbird_domtrans(mozilla_t)
+')
+
+########################################
+#
+# Plugin local policy
+#
+
+dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:tcp_socket { accept listen };
+allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
+
+allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
+allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
+allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
+allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
+
+manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
+manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+allow mozilla_plugin_t mozilla_home_t:file map;
+
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
+
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
+userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+
+filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+
+allow mozilla_plugin_t mozilla_tmp_t:file rw_file_perms;
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
+allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+
+dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+
+can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+
+kernel_read_all_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_read_network_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
+corenet_all_recvfrom_netlabel(mozilla_plugin_t)
+corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
+
+corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
+
+corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ftp_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
+
+corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
+
+corenet_sendrecv_http_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
+
+corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
+
+corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
+
+corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_ircd_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
+
+corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
+
+corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
+
+corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
+
+corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
+
+corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
+
+corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
+
+corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
+corenet_tcp_connect_vnc_port(mozilla_plugin_t)
+corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
+
+dev_read_generic_usb_dev(mozilla_plugin_t)
+dev_read_rand(mozilla_plugin_t)
+dev_read_realtime_clock(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
+dev_rw_dri(mozilla_plugin_t)
+dev_rw_xserver_misc(mozilla_plugin_t)
+
+dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
+dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
+dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
+dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+files_exec_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+files_map_usr_files(mozilla_plugin_t)
+
+fs_getattr_all_fs(mozilla_plugin_t)
+# fs_read_hugetlbfs_files(mozilla_plugin_t)
+fs_search_auto_mountpoints(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
+application_exec(mozilla_plugin_t)
+
+auth_use_nsswitch(mozilla_plugin_t)
+
+libs_exec_ld_so(mozilla_plugin_t)
+libs_exec_lib_files(mozilla_plugin_t)
+
+logging_send_syslog_msg(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_manage_user_tmp_files(mozilla_plugin_t)
+
+userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
+
+userdom_write_user_tmp_sockets(mozilla_plugin_t)
+
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+
+xdg_read_config_files(mozilla_plugin_t)
+
+ifndef(`enable_mls',`
+ fs_list_dos(mozilla_plugin_t)
+ fs_read_dos_files(mozilla_plugin_t)
+
+ fs_search_removable(mozilla_plugin_t)
+ fs_read_removable_files(mozilla_plugin_t)
+ fs_read_removable_symlinks(mozilla_plugin_t)
+
+ fs_read_iso9660_files(mozilla_plugin_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_plugin_t self:process execmem;
+')
+
+tunable_policy(`mozilla_execstack',`
+ allow mozilla_plugin_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_plugin_t)
+ fs_manage_nfs_files(mozilla_plugin_t)
+ fs_manage_nfs_symlinks(mozilla_plugin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_plugin_t)
+ fs_manage_cifs_files(mozilla_plugin_t)
+ fs_manage_cifs_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
+ alsa_read_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(mozilla_plugin_t)
+ dbus_connect_all_session_bus(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_generic_home_content(mozilla_plugin_t)
+ gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
+ gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
+ gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+')
+
+optional_policy(`
+ java_exec(mozilla_plugin_t)
+ java_manage_generic_home_content(mozilla_plugin_t)
+ java_manage_java_tmp(mozilla_plugin_t)
+ java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
+')
+
+optional_policy(`
+ lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
+')
+
+optional_policy(`
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
+')
+
+optional_policy(`
+ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+')
+
+optional_policy(`
+ udev_read_db(mozilla_plugin_t)
+')
+
+optional_policy(`
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
+')
+
+########################################
+#
+# Plugin config local policy
+#
+
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
+allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
+allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
+allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
+
+manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
+manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
+
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
+
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
+userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
+
+filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+
+can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+
+ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
+
+corecmd_exec_bin(mozilla_plugin_config_t)
+corecmd_exec_shell(mozilla_plugin_config_t)
+
+dev_read_urand(mozilla_plugin_config_t)
+dev_rw_dri(mozilla_plugin_config_t)
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+
+domain_use_interactive_fds(mozilla_plugin_config_t)
+
+files_list_tmp(mozilla_plugin_config_t)
+files_read_usr_files(mozilla_plugin_config_t)
+files_dontaudit_search_home(mozilla_plugin_config_t)
+
+fs_getattr_all_fs(mozilla_plugin_config_t)
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
+
+auth_use_nsswitch(mozilla_plugin_config_t)
+
+miscfiles_read_localization(mozilla_plugin_config_t)
+miscfiles_read_fonts(mozilla_plugin_config_t)
+
+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+
+userdom_use_user_ptys(mozilla_plugin_config_t)
+
+mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_plugin_config_t self:process execmem;
+')
+
+tunable_policy(`mozilla_execstack',`
+ allow mozilla_plugin_config_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_plugin_config_t)
+ fs_manage_nfs_files(mozilla_plugin_config_t)
+ fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_plugin_config_t)
+ fs_manage_cifs_files(mozilla_plugin_config_t)
+ fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
+')
+
+ifdef(`distro_gentoo',`
+## <desc>
+## <p>
+## Determine whether mozilla firefox can bind TCP sockets to all
+## unreserved ports (for instance used with various Proxy
+## management extensions).
+## </p>
+## </desc>
+gen_tunable(mozilla_bind_all_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Determine whether mozilla firefox plugins can connect to
+## unreserved ports (for instance when dealing with Google Talk)
+## </p>
+## </desc>
+gen_tunable(mozilla_plugin_connect_all_unreserved, false)
+
+ #####################
+ #
+ # Mozilla policy
+ #
+
+ allow mozilla_t mozilla_plugin_t:process { rlimitinh siginh noatsecure };
+ allow mozilla_t self:process execmem; # Startup of firefox (otherwise immediately killed)
+
+ manage_fifo_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
+
+ allow mozilla_t mozilla_xdg_cache_t:file map;
+
+ corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+ corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+ corenet_sendrecv_tor_client_packets(mozilla_t)
+ corenet_tcp_connect_tor_port(mozilla_t)
+ corenet_tcp_sendrecv_tor_port(mozilla_t)
+
+ domain_use_interactive_fds(mozilla_t)
+
+ userdom_search_user_home_dirs(mozilla_t)
+ # This deprecates userdom_use_user_ptys(mozilla_t) mentioned earlier
+ userdom_use_user_terminals(mozilla_t)
+
+ tunable_policy(`mozilla_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(mozilla_t)
+ corenet_tcp_bind_all_unreserved_ports(mozilla_t)
+ corenet_tcp_sendrecv_all_ports(mozilla_t)
+ ')
+
+ optional_policy(`
+ # was in java tunable, upstream added unconditionally
+ chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(mozilla_t)
+ ')
+
+ ifdef(`use_alsa',`
+ optional_policy(`
+ # HTML5 support is built-in (no plugin) - bug 464398
+ alsa_domain(mozilla_t, mozilla_tmpfs_t)
+ ')
+ ')
+
+ ###########################
+ #
+ # Mozilla plugin policy
+ #
+
+ allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow mozilla_plugin_t self:udp_socket create_socket_perms;
+ allow mozilla_plugin_t self:process execmem; # Needed for flash plugin
+
+ # Stupid google talk plugin runs find against /etc
+ files_dontaudit_getattr_all_dirs(mozilla_plugin_t)
+
+ corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t)
+ corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+ corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t)
+
+ userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+
+ xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+
+ tunable_policy(`mozilla_plugin_connect_all_unreserved', `
+ corenet_sendrecv_all_client_packets(mozilla_plugin_t)
+ corenet_tcp_connect_all_unreserved_ports(mozilla_plugin_t)
+ ',`
+ corenet_dontaudit_tcp_connect_all_unreserved_ports(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+ flash_manage_home(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+ googletalk_domtrans_plugin(mozilla_plugin_t)
+ googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config(mozilla_plugin_t, dir, "google-googletalkplugin")
+ googletalk_manage_plugin_xdg_config(mozilla_plugin_t)
+ googletalk_use_plugin_fds(mozilla_plugin_t)
+ googletalk_rw_inherited_plugin_unix_stream_sockets(mozilla_plugin_t)
+ ')
+
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
+ ')
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfd(mozilla_t)
+ ')
+')
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
new file mode 100644
index 00000000..03ace714
--- /dev/null
+++ b/policy/modules/apps/mplayer.fc
@@ -0,0 +1,17 @@
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
+
+/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+HOME_DIR/\.mpv(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
+
+/etc/mpv(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+/usr/bin/mplayer2 -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mpv -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
new file mode 100644
index 00000000..861d5e97
--- /dev/null
+++ b/policy/modules/apps/mplayer.if
@@ -0,0 +1,163 @@
+## <summary>Mplayer media player and encoder.</summary>
+
+########################################
+## <summary>
+## Role access for mplayer
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mplayer_role',`
+ gen_require(`
+ attribute_role mencoder_roles, mplayer_roles;
+ type mencoder_t, mencoder_exec_t, mplayer_home_t;
+ type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ roleattribute $1 mencoder_roles;
+ roleattribute $1 mplayer_roles;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern($2, mencoder_exec_t, mencoder_t)
+ domtrans_pattern($2, mplayer_exec_t, mplayer_t)
+
+ allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
+ ps_process_pattern($2, { mplayer_t mencoder_t })
+
+ allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer")
+
+ allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms };
+ allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+')
+
+########################################
+## <summary>
+## Run mplayer in mplayer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mplayer_domtrans',`
+ gen_require(`
+ type mplayer_t, mplayer_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mplayer_exec_t, mplayer_t)
+')
+
+########################################
+## <summary>
+## Execute mplayer in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`mplayer_exec',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, mplayer_exec_t)
+')
+
+########################################
+## <summary>
+## Read mplayer user home content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mplayer_read_user_home_files',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic mplayer home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mplayer_manage_generic_home_content',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 mplayer_home_t:dir manage_dir_perms;
+ allow $1 mplayer_home_t:file manage_file_perms;
+ allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in user home
+## directories with the generic mplayer
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`mplayer_home_filetrans_mplayer_home',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
new file mode 100644
index 00000000..91b9569d
--- /dev/null
+++ b/policy/modules/apps/mplayer.te
@@ -0,0 +1,282 @@
+policy_module(mplayer, 2.7.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether mplayer can make
+## its stack executable.
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack, false)
+
+attribute_role mencoder_roles;
+attribute_role mplayer_roles;
+
+type mencoder_t;
+type mencoder_exec_t;
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+userdom_user_application_domain(mencoder_t, mencoder_exec_t)
+role mencoder_roles types mencoder_t;
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+userdom_user_application_domain(mplayer_t, mplayer_exec_t)
+role mplayer_roles types mplayer_t;
+
+optional_policy(`
+ wm_application_domain(mplayer_t, mplayer_exec_t)
+')
+
+type mplayer_etc_t;
+files_config_file(mplayer_etc_t)
+
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+userdom_user_tmpfs_file(mplayer_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(mplayer_tmpfs_t)
+')
+
+########################################
+#
+# Mencoder local policy
+#
+
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+allow mencoder_t mplayer_etc_t:file read_file_perms;
+allow mencoder_t mplayer_etc_t:lnk_file read_lnk_file_perms;
+
+allow mencoder_t mplayer_home_t:dir manage_dir_perms;
+allow mencoder_t mplayer_home_t:file manage_file_perms;
+allow mencoder_t mplayer_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(mencoder_t, mplayer_home_t, dir, ".mplayer")
+
+kernel_read_system_state(mencoder_t)
+kernel_read_kernel_sysctls(mencoder_t)
+
+dev_rwx_zero(mencoder_t)
+dev_read_video_dev(mencoder_t)
+
+files_read_usr_files(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+
+userdom_manage_user_tmp_dirs(mencoder_t)
+userdom_manage_user_tmp_files(mencoder_t)
+
+userdom_user_content_access_template(mplayer_mencoder, mencoder_t)
+
+xdg_manage_music(mencoder_t)
+xdg_manage_videos(mencoder_t)
+
+ifndef(`enable_mls',`
+ fs_list_dos(mencoder_t)
+ fs_read_dos_files(mencoder_t)
+
+ fs_search_removable(mencoder_t)
+ fs_read_removable_files(mencoder_t)
+ fs_read_removable_symlinks(mencoder_t)
+
+ fs_read_iso9660_files(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(mencoder_t)
+ fs_manage_nfs_dirs(mencoder_t)
+ fs_manage_nfs_files(mencoder_t)
+ fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(mencoder_t)
+ fs_manage_cifs_dirs(mencoder_t)
+ fs_manage_cifs_files(mencoder_t)
+ fs_manage_cifs_symlinks(mencoder_t)
+')
+
+########################################
+#
+# Mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:udp_socket create_socket_perms;
+
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+allow mplayer_t mplayer_etc_t:file read_file_perms;
+allow mplayer_t mplayer_etc_t:lnk_file read_lnk_file_perms;
+
+allow mplayer_t mplayer_home_t:dir manage_dir_perms;
+allow mplayer_t mplayer_home_t:file manage_file_perms;
+allow mplayer_t mplayer_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir, ".mplayer")
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+kernel_read_system_state(mplayer_t)
+kernel_read_kernel_sysctls(mplayer_t)
+
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+corenet_all_recvfrom_unlabeled(mplayer_t)
+corenet_all_recvfrom_netlabel(mplayer_t)
+corenet_tcp_sendrecv_generic_if(mplayer_t)
+corenet_tcp_sendrecv_generic_node(mplayer_t)
+
+corenet_tcp_connect_http_port(mplayer_t)
+corenet_tcp_sendrecv_http_port(mplayer_t)
+corenet_sendrecv_http_client_packets(mplayer_t)
+
+dev_read_rand(mplayer_t)
+dev_read_realtime_clock(mplayer_t)
+dev_read_sound_mixer(mplayer_t)
+dev_read_urand(mplayer_t)
+dev_read_video_dev(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+dev_write_video_dev(mplayer_t)
+dev_rwx_zero(mplayer_t)
+
+domain_use_interactive_fds(mplayer_t)
+
+storage_raw_read_removable_device(mplayer_t)
+
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+files_list_home(mplayer_t)
+files_read_etc_runtime_files(mplayer_t)
+files_read_usr_files(mplayer_t)
+
+fs_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+auth_use_nsswitch(mplayer_t)
+
+logging_send_syslog_msg(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+
+userdom_manage_user_tmp_dirs(mplayer_t)
+userdom_manage_user_tmp_files(mplayer_t)
+userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
+
+userdom_user_content_access_template(mplayer, mplayer_t)
+
+userdom_write_user_tmp_sockets(mplayer_t)
+
+xdg_read_music(mplayer_t)
+xdg_read_videos(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+ifndef(`enable_mls',`
+ fs_list_dos(mplayer_t)
+ fs_read_dos_files(mplayer_t)
+
+ fs_search_removable(mplayer_t)
+ fs_read_removable_files(mplayer_t)
+ fs_read_removable_symlinks(mplayer_t)
+
+ fs_read_iso9660_files(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mplayer_t)
+ fs_manage_nfs_files(mplayer_t)
+ fs_manage_nfs_symlinks(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mplayer_t)
+ fs_manage_cifs_files(mplayer_t)
+ fs_manage_cifs_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+optional_policy(`
+ alsa_read_config(mplayer_t)
+')
+
+optional_policy(`
+ pulseaudio_run(mplayer_t, mplayer_roles)
+')
+
+ifdef(`distro_gentoo',`
+ ######################################
+ #
+ # Local mplayer_t policy
+ #
+
+ tunable_policy(`mplayer_manage_generic_user_content',`
+ userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
+ ')
+
+ ifdef(`use_alsa',`
+ optional_policy(`
+ alsa_domain(mplayer_t, mplayer_tmpfs_t)
+ ')
+ ')
+')
diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
new file mode 100644
index 00000000..6613bb44
--- /dev/null
+++ b/policy/modules/apps/openoffice.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.openoffice(\.org)?(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0)
+
+/opt/openoffice(.*)?/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0)
+/opt/openoffice(.*)?/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0)
diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
new file mode 100644
index 00000000..5580aaf7
--- /dev/null
+++ b/policy/modules/apps/openoffice.if
@@ -0,0 +1,134 @@
+## <summary>Openoffice suite.</summary>
+
+############################################################
+## <summary>
+## Role access for openoffice.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`ooffice_role',`
+ gen_require(`
+ attribute_role ooffice_roles;
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ roleattribute $1 ooffice_roles;
+
+ allow ooffice_t $2:unix_stream_socket connectto;
+
+ domtrans_pattern($2, ooffice_exec_t, ooffice_t)
+
+ allow $2 ooffice_t:process { ptrace signal_perms };
+ ps_process_pattern($2, ooffice_t)
+
+ optional_policy(`
+ ooffice_dbus_chat($2)
+ ')
+')
+
+########################################
+## <summary>
+## Run openoffice in its own domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ooffice_domtrans',`
+ gen_require(`
+ type ooffice_t, ooffice_exec_t;
+ ')
+
+ domtrans_pattern($1, ooffice_exec_t, ooffice_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ooffice_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ dontaudit $1 ooffice_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write temporary
+## openoffice files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_rw_tmp_files',`
+ gen_require(`
+ type ooffice_tmp_t;
+ ')
+
+ rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t)
+')
+
+#######################################
+## <summary>
+## Send and receive dbus messages
+## from and to the openoffice
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_dbus_chat',`
+ gen_require(`
+ type ooffice_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ooffice_t:dbus send_msg;
+ allow ooffice_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to openoffice using a
+## unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ooffice_stream_connect',`
+ gen_require(`
+ type ooffice_t, ooffice_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t)
+')
diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
new file mode 100644
index 00000000..2cb4d6d2
--- /dev/null
+++ b/policy/modules/apps/openoffice.te
@@ -0,0 +1,158 @@
+policy_module(openoffice, 1.3.1)
+
+##############################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether openoffice can
+## download software updates from the
+## network (application and/or
+## extensions).
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_update, true)
+
+## <desc>
+## <p>
+## Determine whether openoffice writer
+## can send emails directly (print to
+## email). This is different from the
+## functionality of sending emails
+## through external clients which is
+## always enabled.
+## </p>
+## </desc>
+gen_tunable(openoffice_allow_email, false)
+
+attribute_role ooffice_roles;
+
+type ooffice_t;
+type ooffice_exec_t;
+userdom_user_application_domain(ooffice_t, ooffice_exec_t)
+role ooffice_roles types ooffice_t;
+
+optional_policy(`
+ wm_application_domain(ooffice_t, ooffice_exec_t)
+')
+
+type ooffice_home_t;
+userdom_user_home_content(ooffice_home_t)
+
+type ooffice_tmp_t;
+files_tmp_file(ooffice_tmp_t)
+
+##############################
+#
+# Openoffice local policy
+#
+
+allow ooffice_t self:process { execmem getsched signal };
+allow ooffice_t self:shm create_shm_perms;
+allow ooffice_t self:fifo_file rw_fifo_file_perms;
+allow ooffice_t self:unix_stream_socket connectto;
+
+allow ooffice_t ooffice_home_t:dir manage_dir_perms;
+allow ooffice_t ooffice_home_t:file manage_file_perms;
+allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms;
+userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
+
+manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+
+can_exec(ooffice_t, ooffice_exec_t)
+
+kernel_dontaudit_read_system_state(ooffice_t)
+
+corecmd_exec_bin(ooffice_t)
+corecmd_exec_shell(ooffice_t)
+
+dev_read_sysfs(ooffice_t)
+dev_read_urand(ooffice_t)
+
+domain_use_interactive_fds(ooffice_t)
+
+files_getattr_all_dirs(ooffice_t)
+files_getattr_all_files(ooffice_t)
+files_getattr_all_symlinks(ooffice_t)
+files_read_etc_files(ooffice_t)
+files_map_usr_files(ooffice_t)
+files_read_usr_files(ooffice_t)
+
+fs_getattr_xattr_fs(ooffice_t)
+
+miscfiles_read_fonts(ooffice_t)
+miscfiles_read_localization(ooffice_t)
+
+ooffice_dontaudit_exec_tmp_files(ooffice_t)
+
+sysnet_dns_name_resolve(ooffice_t)
+
+userdom_dontaudit_exec_user_home_content_files(ooffice_t)
+userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
+userdom_manage_user_tmp_dirs(ooffice_t)
+userdom_manage_user_tmp_sockets(ooffice_t)
+userdom_use_inherited_user_terminals(ooffice_t)
+
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
+
+tunable_policy(`openoffice_allow_update',`
+ corenet_tcp_connect_http_port(ooffice_t)
+')
+
+tunable_policy(`openoffice_allow_email',`
+ corenet_tcp_connect_smtp_port(ooffice_t)
+ corenet_tcp_sendrecv_smtp_port(ooffice_t)
+ corenet_sendrecv_smtp_client_packets(ooffice_t)
+')
+
+optional_policy(`
+ cups_read_config(ooffice_t)
+ cups_stream_connect(ooffice_t)
+')
+
+optional_policy(`
+ dbus_all_session_bus_client(ooffice_t)
+')
+
+optional_policy(`
+ evolution_domtrans(ooffice_t)
+ evolution_read_home_files(ooffice_t)
+')
+
+optional_policy(`
+ gnome_dbus_chat_gconfd(ooffice_t)
+ gnome_stream_connect_gconf(ooffice_t)
+')
+
+optional_policy(`
+ hostname_exec(ooffice_t)
+')
+
+optional_policy(`
+ java_exec(ooffice_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(ooffice_t)
+ mozilla_read_tmp_files(ooffice_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(ooffice_t)
+')
+
+optional_policy(`
+ xserver_rw_xsession_log(ooffice_t)
+ xserver_read_user_iceauth(ooffice_t)
+ xserver_read_user_xauth(ooffice_t)
+ xserver_read_xdm_tmp_files(ooffice_t)
+ xserver_stream_connect(ooffice_t)
+ xserver_stream_connect_xdm(ooffice_t)
+')
diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc
new file mode 100644
index 00000000..c32a4f30
--- /dev/null
+++ b/policy/modules/apps/podsleuth.fc
@@ -0,0 +1,5 @@
+/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+
+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+
+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if
new file mode 100644
index 00000000..a9427b4a
--- /dev/null
+++ b/policy/modules/apps/podsleuth.if
@@ -0,0 +1,46 @@
+## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM).</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run podsleuth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`podsleuth_domtrans',`
+ gen_require(`
+ type podsleuth_t, podsleuth_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+')
+
+########################################
+## <summary>
+## Execute podsleuth in the podsleuth
+## domain, and allow the specified role
+## the podsleuth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`podsleuth_run',`
+ gen_require(`
+ attribute_role podsleuth_roles;
+ ')
+
+ podsleuth_domtrans($1)
+ roleattribute $2 podsleuth_roles;
+')
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
new file mode 100644
index 00000000..83dc77b5
--- /dev/null
+++ b/policy/modules/apps/podsleuth.te
@@ -0,0 +1,97 @@
+policy_module(podsleuth, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role podsleuth_roles;
+roleattribute system_r podsleuth_roles;
+
+type podsleuth_t;
+type podsleuth_exec_t;
+application_domain(podsleuth_t, podsleuth_exec_t)
+role podsleuth_roles types podsleuth_t;
+
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+ubac_constrained(podsleuth_cache_t)
+
+type podsleuth_tmp_t;
+userdom_user_tmp_file(podsleuth_tmp_t)
+
+type podsleuth_tmpfs_t;
+userdom_user_tmpfs_file(podsleuth_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow podsleuth_t self:capability { dac_override kill sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:fifo_file rw_fifo_file_perms;
+allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+
+manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
+
+kernel_read_system_state(podsleuth_t)
+kernel_request_load_module(podsleuth_t)
+
+corecmd_exec_bin(podsleuth_t)
+
+corenet_all_recvfrom_unlabeled(podsleuth_t)
+corenet_all_recvfrom_netlabel(podsleuth_t)
+corenet_tcp_sendrecv_generic_if(podsleuth_t)
+corenet_tcp_sendrecv_generic_node(podsleuth_t)
+
+corenet_sendrecv_http_client_packets(podsleuth_t)
+corenet_tcp_connect_http_port(podsleuth_t)
+corenet_tcp_sendrecv_http_port(podsleuth_t)
+
+dev_read_urand(podsleuth_t)
+
+files_read_etc_files(podsleuth_t)
+
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+fs_rw_removable_blk_files(podsleuth_t)
+
+miscfiles_read_localization(podsleuth_t)
+
+sysnet_dns_name_resolve(podsleuth_t)
+
+userdom_signal_unpriv_users(podsleuth_t)
+userdom_signull_unpriv_users(podsleuth_t)
+userdom_read_user_tmpfs_files(podsleuth_t)
+
+optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
+
+ optional_policy(`
+ hal_dbus_chat(podsleuth_t)
+ ')
+')
+
+optional_policy(`
+ mono_exec(podsleuth_t)
+')
diff --git a/policy/modules/apps/ptchown.fc b/policy/modules/apps/ptchown.fc
new file mode 100644
index 00000000..dd96822d
--- /dev/null
+++ b/policy/modules/apps/ptchown.fc
@@ -0,0 +1,3 @@
+/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
+
+/usr/lib/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if
new file mode 100644
index 00000000..97a1e7b1
--- /dev/null
+++ b/policy/modules/apps/ptchown.if
@@ -0,0 +1,65 @@
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ptchown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ptchown_domtrans',`
+ gen_require(`
+ type ptchown_t, ptchown_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+')
+
+#######################################
+## <summary>
+## Execute ptchown in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ptchown_exec',`
+ gen_require(`
+ type ptchown_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ptchown_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ptchown in the ptchown
+## domain, and allow the specified
+## role the ptchown domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`ptchown_run',`
+ gen_require(`
+ attribute_role ptchown_roles;
+ ')
+
+ ptchown_domtrans($1)
+ roleattribute $2 ptchown_roles;
+')
diff --git a/policy/modules/apps/ptchown.te b/policy/modules/apps/ptchown.te
new file mode 100644
index 00000000..28d2abc0
--- /dev/null
+++ b/policy/modules/apps/ptchown.te
@@ -0,0 +1,34 @@
+policy_module(ptchown, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role ptchown_roles;
+roleattribute system_r ptchown_roles;
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role ptchown_roles types ptchown_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_setattr_generic_ptys(ptchown_t)
+term_getattr_all_ptys(ptchown_t)
+term_setattr_all_ptys(ptchown_t)
+term_use_generic_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
new file mode 100644
index 00000000..0d9bc354
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0)
+
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+
+/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
new file mode 100644
index 00000000..ca005df0
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.if
@@ -0,0 +1,422 @@
+## <summary>Pulseaudio network sound server.</summary>
+
+########################################
+## <summary>
+## Role access for pulseaudio.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_role',`
+ gen_require(`
+ attribute pulseaudio_tmpfsfile;
+ type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
+ type pulseaudio_tmp_t;
+ ')
+
+ pulseaudio_run($2, $1)
+
+ allow $2 pulseaudio_t:process { ptrace signal_perms };
+ allow $2 pulseaudio_t:fd use;
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
+
+ allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow pulseaudio_t $2:process signull;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_domtrans',`
+ gen_require(`
+ attribute pulseaudio_client;
+ type pulseaudio_t, pulseaudio_exec_t;
+ ')
+
+ typeattribute $1 pulseaudio_client;
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
+')
+
+########################################
+## <summary>
+## Execute pulseaudio in the pulseaudio
+## domain, and allow the specified role
+## the pulseaudio domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_run',`
+ gen_require(`
+ attribute_role pulseaudio_roles;
+ ')
+
+ pulseaudio_domtrans($1)
+ roleattribute $2 pulseaudio_roles;
+')
+
+########################################
+## <summary>
+## Execute pulseaudio in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pulseaudio_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Send null signals to pulseaudio.
+## processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_signull',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:process signull;
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
+
+#####################################
+## <summary>
+## Connect to pulseaudio with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_stream_connect',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## pulseaudio over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dbus_chat',`
+ gen_require(`
+ type pulseaudio_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Set attributes of pulseaudio home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_setattr_home_dir',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ allow $1 pulseaudio_home_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Read pulseaudio home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 pulseaudio_home_t:dir list_dir_perms;
+ allow $1 pulseaudio_home_t:file read_file_perms;
+ allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write Pulse Audio files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## pulseaudio home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 pulseaudio_home_t:dir manage_dir_perms;
+ allow $1 pulseaudio_home_t:file manage_file_perms;
+ allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in user home
+## directories with the pulseaudio
+## home type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_home_filetrans_pulseaudio_home',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Make the specified tmpfs file type
+## pulseaudio tmpfs content.
+## </summary>
+## <param name="file_type">
+## <summary>
+## File type to make pulseaudio tmpfs content.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_tmpfs_content',`
+ gen_require(`
+ attribute pulseaudio_tmpfsfile;
+ ')
+
+ typeattribute $1 pulseaudio_tmpfsfile;
+')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces
+
+########################################
+## <summary>
+## Mark the specified domain as a PulseAudio client domain
+## and the related tmpfs file type as a (shared) PulseAudio tmpfs
+## file type used for the shared memory access
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to become a PulseAudio client domain
+## </summary>
+## </param>
+## <param name="tmpfstype">
+## <summary>
+## Tmpfs type used for shared memory of the given domain
+## </summary>
+## </param>
+#
+interface(`pulseaudio_client_domain',`
+ refpolicywarn(`$0($*) has been deprecated')
+
+ pulseaudio_domtrans($1)
+ pulseaudio_tmpfs_content($2)
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
new file mode 100644
index 00000000..1a58bde5
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.te
@@ -0,0 +1,308 @@
+policy_module(pulseaudio, 1.11.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow pulseaudio to execute code in
+## writable memory
+## </p>
+## </desc>
+gen_tunable(pulseaudio_execmem, false)
+
+attribute pulseaudio_client;
+attribute pulseaudio_tmpfsfile;
+
+attribute_role pulseaudio_roles;
+
+type pulseaudio_t;
+type pulseaudio_exec_t;
+# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
+role pulseaudio_roles types pulseaudio_t;
+
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmp_t;
+userdom_user_tmp_file(pulseaudio_tmp_t)
+userdom_user_runtime_content(pulseaudio_tmp_t)
+
+type pulseaudio_tmpfs_t;
+userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+
+type pulseaudio_xdg_config_t;
+xdg_config_content(pulseaudio_xdg_config_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pulseaudio_t self:capability { chown fowner fsetid setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched signal signull };
+
+allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
+allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
+allow pulseaudio_t self:unix_dgram_socket sendto;
+allow pulseaudio_t self:tcp_socket { accept listen };
+allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
+allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
+allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile })
+allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map;
+fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+xdg_config_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse")
+
+allow pulseaudio_t pulseaudio_client:process signull;
+ps_process_pattern(pulseaudio_t, pulseaudio_client)
+
+can_exec(pulseaudio_t, pulseaudio_exec_t)
+
+kernel_getattr_proc(pulseaudio_t)
+kernel_read_system_state(pulseaudio_t)
+kernel_read_kernel_sysctls(pulseaudio_t)
+
+corecmd_exec_bin(pulseaudio_t)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_t)
+corenet_all_recvfrom_netlabel(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
+
+corenet_sendrecv_soundd_server_packets(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
+
+corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_sap_port(pulseaudio_t)
+
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
+dev_read_urand(pulseaudio_t)
+
+files_read_usr_files(pulseaudio_t)
+
+fs_getattr_tmpfs(pulseaudio_t)
+fs_getattr_all_fs(pulseaudio_t)
+fs_list_inotifyfs(pulseaudio_t)
+fs_rw_anon_inodefs_files(pulseaudio_t)
+fs_search_auto_mountpoints(pulseaudio_t)
+
+term_use_all_ttys(pulseaudio_t)
+term_use_all_ptys(pulseaudio_t)
+
+auth_use_nsswitch(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
+
+miscfiles_read_localization(pulseaudio_t)
+
+seutil_read_config(pulseaudio_t)
+
+userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_map_user_tmpfs_files(pulseaudio_t)
+userdom_delete_user_tmpfs_files(pulseaudio_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+userdom_search_user_home_content(pulseaudio_t)
+
+userdom_manage_user_tmp_dirs(pulseaudio_t)
+userdom_manage_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`pulseaudio_execmem',`
+ allow pulseaudio_t self:process execmem;
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(pulseaudio_t)
+ fs_manage_nfs_files(pulseaudio_t)
+ fs_manage_nfs_symlinks(pulseaudio_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(pulseaudio_t)
+ fs_manage_cifs_files(pulseaudio_t)
+ fs_manage_cifs_symlinks(pulseaudio_t)
+')
+
+optional_policy(`
+ alsa_read_config(pulseaudio_t)
+ alsa_read_home_files(pulseaudio_t)
+')
+
+optional_policy(`
+ bluetooth_stream_connect(pulseaudio_t)
+')
+
+optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
+ dbus_all_session_bus_client(pulseaudio_t)
+ dbus_connect_all_session_bus(pulseaudio_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(pulseaudio_t)
+ ')
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ gnome_manage_gstreamer_orcexec(pulseaudio_t)
+ gnome_mmap_gstreamer_orcexec(pulseaudio_t)
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+')
+
+optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(pulseaudio_t)
+ policykit_read_lib(pulseaudio_t)
+ policykit_read_reload(pulseaudio_t)
+')
+
+optional_policy(`
+ udev_read_pid_files(pulseaudio_t)
+ udev_read_state(pulseaudio_t)
+ udev_read_db(pulseaudio_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
+
+allow pulseaudio_client pulseaudio_tmp_t:dir manage_dir_perms;
+allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
+allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
+
+rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
+allow pulseaudio_client pulseaudio_tmpfs_t:file map;
+delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
+
+manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t)
+xdg_config_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
+
+fs_getattr_tmpfs(pulseaudio_client)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_client)
+corenet_all_recvfrom_netlabel(pulseaudio_client)
+corenet_tcp_sendrecv_generic_if(pulseaudio_client)
+corenet_tcp_sendrecv_generic_node(pulseaudio_client)
+
+corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
+corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
+
+pulseaudio_stream_connect(pulseaudio_client)
+pulseaudio_manage_home(pulseaudio_client)
+pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
+pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
+pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
+pulseaudio_signull(pulseaudio_client)
+pulseaudio_use_fds(pulseaudio_client)
+
+userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
+# userdom_delete_user_tmpfs_files(pulseaudio_client)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(pulseaudio_client)
+ fs_manage_nfs_dirs(pulseaudio_client)
+ fs_manage_nfs_files(pulseaudio_client)
+ fs_read_nfs_symlinks(pulseaudio_client)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
+ fs_read_cifs_symlinks(pulseaudio_client)
+')
+
+optional_policy(`
+ pulseaudio_dbus_chat(pulseaudio_client)
+')
+
+optional_policy(`
+ rtkit_scheduled(pulseaudio_client)
+')
+
+optional_policy(`
+ unconfined_signull(pulseaudio_client)
+')
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
new file mode 100644
index 00000000..1fc79800
--- /dev/null
+++ b/policy/modules/apps/qemu.fc
@@ -0,0 +1,19 @@
+/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
+
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
+
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
new file mode 100644
index 00000000..b6d8e1c2
--- /dev/null
+++ b/policy/modules/apps/qemu.if
@@ -0,0 +1,434 @@
+## <summary>QEMU machine emulator and virtualizer.</summary>
+
+#######################################
+## <summary>
+## The template to define a qemu domain.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain prefix to be used.
+## </summary>
+## </param>
+#
+template(`qemu_domain_template',`
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ domain_type($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Policy
+ #
+
+ allow $1_t self:capability { dac_override dac_read_search };
+ allow $1_t self:process { execstack execmem signal getsched };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:tun_socket create;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_tcp_bind_vnc_port($1_t)
+ corenet_rw_tun_tap_dev($1_t)
+
+# dev_rw_kvm($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
+ files_read_var_files($1_t)
+ files_search_all($1_t)
+
+ fs_list_inotifyfs($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+ fs_rw_tmpfs_files($1_t)
+
+ storage_raw_write_removable_device($1_t)
+ storage_raw_read_removable_device($1_t)
+
+ term_use_ptmx($1_t)
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+ userdom_use_user_terminals($1_t)
+ userdom_attach_admin_tun_iface($1_t)
+
+ optional_policy(`
+ samba_domtrans_smbd($1_t)
+ ')
+
+ optional_policy(`
+ virt_manage_images($1_t)
+ virt_read_config($1_t)
+ virt_read_lib_files($1_t)
+ virt_attach_tun_iface($1_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_read_xdm_pid($1_t)
+# xserver_xdm_rw_shm($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for qemu.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+template(`qemu_role',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ qemu_run($2, $1)
+
+ allow $2 qemu_t:process { ptrace signal_perms };
+ ps_process_pattern($2, qemu_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Execute a qemu in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_exec',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, qemu_exec_t)
+')
+
+########################################
+## <summary>
+## Execute qemu in the qemu domain,
+## and allow the specified role the
+## qemu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`qemu_run',`
+ gen_require(`
+ attribute_role qemu_roles;
+ ')
+
+ qemu_domtrans($1)
+ roleattribute $2 qemu_roles;
+')
+
+########################################
+## <summary>
+## Read qemu process state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`qemu_read_state',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 qemu_t:dir list_dir_perms;
+ allow $1 qemu_t:file read_file_perms;
+ allow $1 qemu_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Set qemu scheduler.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
+## Send generic signals to qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_signal',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process signal;
+')
+
+########################################
+## <summary>
+## Send kill signals to qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_kill',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Connect to qemu with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+ gen_require(`
+ type qemu_t, qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Unlink qemu socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_delete_pid_sock_file',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file unlink;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to
+## run qemu unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_qemu_t, qemu_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## qemu temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## qemu temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+## Execute qemu in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute qemu in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`qemu_spec_domtrans',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_transition_pattern($1, qemu_exec_t, $2)
+')
+
+######################################
+## <summary>
+## Make qemu executable files an
+## entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which qemu_exec_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`qemu_entry_type',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ domain_entry_file($1, qemu_exec_t)
+')
+
+# Gentoo specific but cannot use ifdef distro_gentoo here
+
+#######################################
+## <summary>
+## Read/write to qemu socket files in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_rw_pid_sock_files',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file rw_sock_file_perms;
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
new file mode 100644
index 00000000..a27624d8
--- /dev/null
+++ b/policy/modules/apps/qemu.te
@@ -0,0 +1,136 @@
+policy_module(qemu, 1.10.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether qemu has full
+## access to the network.
+## </p>
+## </desc>
+gen_tunable(qemu_full_network, false)
+
+attribute_role qemu_roles;
+roleattribute system_r qemu_roles;
+
+type qemu_exec_t;
+application_executable_file(qemu_exec_t)
+
+virt_domain_template(qemu)
+role qemu_roles types qemu_t;
+
+type qemu_unit_t;
+init_unit_file(qemu_unit_t)
+
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
+tunable_policy(`qemu_full_network',`
+ corenet_udp_sendrecv_generic_if(qemu_t)
+ corenet_udp_sendrecv_generic_node(qemu_t)
+ corenet_udp_sendrecv_all_ports(qemu_t)
+ corenet_udp_bind_generic_node(qemu_t)
+ corenet_udp_bind_all_ports(qemu_t)
+ corenet_tcp_bind_all_ports(qemu_t)
+ corenet_tcp_connect_all_ports(qemu_t)
+')
+
+optional_policy(`
+ fs_manage_xenfs_files(qemu_t)
+
+ dev_rw_xen(qemu_t)
+
+ xen_stream_connect_xenstore(qemu_t)
+ xen_append_log(qemu_t)
+ xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined local policy
+#
+
+optional_policy(`
+ type unconfined_qemu_t;
+ typealias unconfined_qemu_t alias qemu_unconfined_t;
+ application_type(unconfined_qemu_t)
+ unconfined_domain(unconfined_qemu_t)
+
+ allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
+')
+
+ifdef(`distro_gentoo',`
+
+ #################################
+ #
+ # Local policy
+ #
+
+ # VNC/GDB support
+ allow qemu_t self:tcp_socket create_stream_socket_perms;
+ allow qemu_t self:udp_socket create_socket_perms;
+
+ # Network related socket
+ allow qemu_t qemu_var_run_t:sock_file manage_sock_file_perms;
+
+ files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
+ optional_policy(`
+ vde_connect(qemu_t)
+ ')
+
+ #################################
+ #
+ # QEMU Guest Agent policy
+ #
+ type qemu_ga_t;
+ type qemu_ga_exec_t;
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+ type qemu_ga_log_t;
+ logging_log_file(qemu_ga_log_t)
+
+ type qemu_ga_run_t;
+ files_pid_file(qemu_ga_run_t)
+
+ allow qemu_ga_t self:capability sys_admin;
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+ corecmd_exec_bin(qemu_ga_t)
+ corecmd_exec_shell(qemu_ga_t)
+
+ miscfiles_read_localization(qemu_ga_t)
+
+ userdom_use_user_terminals(qemu_ga_t)
+
+ term_use_virtio_console(qemu_ga_t)
+')
diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc
new file mode 100644
index 00000000..c0768426
--- /dev/null
+++ b/policy/modules/apps/rssh.fc
@@ -0,0 +1,3 @@
+/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
new file mode 100644
index 00000000..6ecadcbc
--- /dev/null
+++ b/policy/modules/apps/rssh.if
@@ -0,0 +1,112 @@
+## <summary>Restricted (scp/sftp) only shell.</summary>
+
+########################################
+## <summary>
+## Role access for rssh.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`rssh_role',`
+ gen_require(`
+ attribute_role rssh_roles;
+ type rssh_t, rssh_exec_t, rssh_ro_t;
+ type rssh_rw_t;
+ ')
+
+ roleattribute $1 rssh_roles;
+
+ domtrans_pattern($2, rssh_exec_t, rssh_t)
+
+ allow $2 rssh_t:process { ptrace signal_perms };
+ ps_process_pattern($2, rssh_t)
+
+ allow $2 { rssh_ro_t rssh_rw_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { rssh_ro_t rssh_rw_t }:file { manage_file_perms relabel_file_perms };
+')
+
+########################################
+## <summary>
+## Execute rssh in the rssh domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rssh_spec_domtrans',`
+ gen_require(`
+ type rssh_t, rssh_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
+')
+
+########################################
+## <summary>
+## Execute the rssh program
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_exec',`
+ gen_require(`
+ type rssh_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rssh_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to
+## run rssh chroot helper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rssh_domtrans_chroot_helper',`
+ gen_require(`
+ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
+')
+
+########################################
+## <summary>
+## Read users rssh read-only content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_read_ro_content',`
+ gen_require(`
+ type rssh_ro_t;
+ ')
+
+ allow $1 rssh_ro_t:dir list_dir_perms;
+ allow $1 rssh_ro_t:file read_file_perms;
+')
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
new file mode 100644
index 00000000..91a89f65
--- /dev/null
+++ b/policy/modules/apps/rssh.te
@@ -0,0 +1,99 @@
+policy_module(rssh, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role rssh_roles;
+roleattribute system_r rssh_roles;
+
+type rssh_t;
+type rssh_exec_t;
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+userdom_user_application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+role rssh_roles types rssh_t;
+
+type rssh_chroot_helper_t;
+type rssh_chroot_helper_exec_t;
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t; # customizable
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t; # customizable
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket { accept connectto listen };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+rssh_domtrans_chroot_helper(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+ nis_use_ypbind(rssh_t)
+')
+
+########################################
+#
+# Chroot helper local policy
+#
+
+allow rssh_chroot_helper_t self:capability { setuid sys_chroot };
+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
+allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };
+
+domain_use_interactive_fds(rssh_chroot_helper_t)
+
+auth_use_nsswitch(rssh_chroot_helper_t)
+
+logging_send_syslog_msg(rssh_chroot_helper_t)
+
+miscfiles_read_localization(rssh_chroot_helper_t)
diff --git a/policy/modules/apps/sambagui.fc b/policy/modules/apps/sambagui.fc
new file mode 100644
index 00000000..2640dcf0
--- /dev/null
+++ b/policy/modules/apps/sambagui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism\.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.if b/policy/modules/apps/sambagui.if
new file mode 100644
index 00000000..d9c7bb65
--- /dev/null
+++ b/policy/modules/apps/sambagui.if
@@ -0,0 +1 @@
+## <summary>system-config-samba dbus service.</summary>
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
new file mode 100644
index 00000000..e18b0a28
--- /dev/null
+++ b/policy/modules/apps/sambagui.te
@@ -0,0 +1,66 @@
+policy_module(sambagui, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role sambagui_roles;
+roleattribute system_r sambagui_roles;
+
+type sambagui_t;
+type sambagui_exec_t;
+application_domain(sambagui_t, sambagui_exec_t)
+role sambagui_roles types sambagui_t;
+
+########################################
+#
+# Local policy
+#
+
+allow sambagui_t self:capability dac_override;
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(sambagui_t)
+
+corecmd_exec_bin(sambagui_t)
+corecmd_exec_shell(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+
+files_read_usr_files(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+auth_dontaudit_read_shadow(sambagui_t)
+
+logging_send_syslog_msg(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+sysnet_use_ldap(sambagui_t)
+
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sambagui_t)
+')
+
+optional_policy(`
+ dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+ optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+ ')
+')
+
+optional_policy(`
+ samba_append_log(sambagui_t)
+ samba_manage_config(sambagui_t)
+ samba_manage_var_files(sambagui_t)
+ samba_read_secrets(sambagui_t)
+ samba_initrc_domtrans(sambagui_t)
+ samba_domtrans_smbd(sambagui_t)
+ samba_domtrans_nmbd(sambagui_t)
+')
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
new file mode 100644
index 00000000..7196c598
--- /dev/null
+++ b/policy/modules/apps/screen.fc
@@ -0,0 +1,9 @@
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
+
+/run/screen(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
+/run/tmux(/.*)? gen_context(system_u:object_r:screen_runtime_t,s0)
+
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
new file mode 100644
index 00000000..884e261a
--- /dev/null
+++ b/policy/modules/apps/screen.if
@@ -0,0 +1,92 @@
+## <summary>GNU terminal multiplexer.</summary>
+
+#######################################
+## <summary>
+## The role template for the screen module.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`screen_role_template',`
+ gen_require(`
+ attribute screen_domain;
+ attribute_role screen_roles;
+ type screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_runtime_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_screen_t, screen_domain;
+ userdom_user_application_domain($1_screen_t, screen_exec_t)
+ domain_interactive_fd($1_screen_t)
+ role screen_roles types $1_screen_t;
+
+ roleattribute $2 screen_roles;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ dontaudit $1_screen_t self:capability sys_tty_config;
+
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
+
+ ps_process_pattern($3, $1_screen_t)
+ allow $3 $1_screen_t:process { ptrace signal_perms };
+
+ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
+ allow $1_screen_t $3:process signal;
+
+ allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+
+ allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 screen_home_t:file { manage_file_perms relabel_file_perms };
+ allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
+ userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+ userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
+
+ manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t)
+ manage_files_pattern($3, screen_runtime_t, screen_runtime_t)
+ manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t)
+ manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t)
+
+ corecmd_bin_domtrans($1_screen_t, $3)
+ corecmd_shell_domtrans($1_screen_t, $3)
+
+ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+
+ userdom_user_home_domtrans($1_screen_t, $3)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t, $3)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t, $3)
+ ')
+')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
new file mode 100644
index 00000000..845c61c8
--- /dev/null
+++ b/policy/modules/apps/screen.te
@@ -0,0 +1,126 @@
+policy_module(screen, 2.9.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute screen_domain;
+
+attribute_role screen_roles;
+
+type screen_exec_t;
+application_executable_file(screen_exec_t)
+
+type screen_home_t;
+userdom_user_home_content(screen_home_t)
+
+type screen_tmp_t;
+userdom_user_tmp_file(screen_tmp_t)
+
+type screen_runtime_t;
+typealias screen_runtime_t alias screen_var_run_t;
+files_pid_file(screen_runtime_t)
+ubac_constrained(screen_runtime_t)
+
+########################################
+#
+# Common screen domain local policy
+#
+
+# dac_override : read /dev/pts/ID
+allow screen_domain self:capability { dac_override fsetid setgid setuid };
+allow screen_domain self:process signal_perms;
+allow screen_domain self:fd use;
+allow screen_domain self:fifo_file rw_fifo_file_perms;
+allow screen_domain self:tcp_socket { accept listen };
+allow screen_domain self:unix_stream_socket { accept connectto listen };
+
+manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
+files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+filetrans_pattern(screen_domain, screen_tmp_t, screen_runtime_t, sock_file)
+
+manage_fifo_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+manage_dirs_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+manage_sock_files_pattern(screen_domain, screen_runtime_t, screen_runtime_t)
+files_pid_filetrans(screen_domain, screen_runtime_t, dir)
+
+manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
+manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
+read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen")
+
+kernel_read_system_state(screen_domain)
+kernel_read_kernel_sysctls(screen_domain)
+
+corecmd_list_bin(screen_domain)
+corecmd_read_bin_files(screen_domain)
+corecmd_read_bin_pipes(screen_domain)
+corecmd_read_bin_sockets(screen_domain)
+
+corenet_all_recvfrom_unlabeled(screen_domain)
+corenet_all_recvfrom_netlabel(screen_domain)
+corenet_tcp_sendrecv_generic_if(screen_domain)
+corenet_tcp_sendrecv_generic_node(screen_domain)
+corenet_tcp_sendrecv_all_ports(screen_domain)
+
+corenet_sendrecv_all_client_packets(screen_domain)
+corenet_tcp_connect_all_ports(screen_domain)
+
+dev_dontaudit_getattr_all_chr_files(screen_domain)
+dev_dontaudit_getattr_all_blk_files(screen_domain)
+dev_read_urand(screen_domain)
+
+domain_use_interactive_fds(screen_domain)
+domain_sigchld_interactive_fds(screen_domain)
+domain_read_all_domains_state(screen_domain)
+
+files_list_home(screen_domain)
+files_read_usr_files(screen_domain)
+
+fs_search_auto_mountpoints(screen_domain)
+fs_getattr_all_fs(screen_domain)
+
+auth_dontaudit_read_shadow(screen_domain)
+auth_dontaudit_exec_utempter(screen_domain)
+
+init_rw_utmp(screen_domain)
+
+logging_send_syslog_msg(screen_domain)
+
+miscfiles_read_localization(screen_domain)
+
+seutil_read_config(screen_domain)
+
+userdom_use_user_terminals(screen_domain)
+userdom_create_user_pty(screen_domain)
+userdom_setattr_user_ptys(screen_domain)
+userdom_setattr_user_ttys(screen_domain)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(screen_domain)
+ fs_read_cifs_files(screen_domain)
+ fs_manage_cifs_named_pipes(screen_domain)
+ fs_read_cifs_symlinks(screen_domain)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(screen_domain)
+ fs_read_nfs_files(screen_domain)
+ fs_manage_nfs_named_pipes(screen_domain)
+ fs_read_nfs_symlinks(screen_domain)
+')
+
+ifdef(`distro_gentoo',`
+ ######################################
+ #
+ # screen domain policy
+ #
+
+ # Bug #463222 - Create and listen on socket (/tmp/tmux-*/default)
+ allow screen_domain screen_tmp_t:sock_file manage_sock_file_perms;
+ allow screen_domain self:unix_stream_socket { accept listen };
+')
diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc
new file mode 100644
index 00000000..264e1bed
--- /dev/null
+++ b/policy/modules/apps/slocate.fc
@@ -0,0 +1,7 @@
+/etc/cron\.daily/[sm]locate -- gen_context(system_u:object_r:locate_exec_t,s0)
+
+/usr/bin/updatedb.* -- gen_context(system_u:object_r:locate_exec_t,s0)
+
+/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
+
+/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0)
diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if
new file mode 100644
index 00000000..82de1b68
--- /dev/null
+++ b/policy/modules/apps/slocate.if
@@ -0,0 +1,21 @@
+## <summary>Update database for mlocate.</summary>
+
+########################################
+## <summary>
+## Read locate lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locate_read_lib_files',`
+ gen_require(`
+ type locate_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, locate_var_lib_t, locate_var_lib_t)
+ allow $1 locate_var_lib_t:dir list_dir_perms;
+')
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
new file mode 100644
index 00000000..2bf0fed4
--- /dev/null
+++ b/policy/modules/apps/slocate.te
@@ -0,0 +1,73 @@
+policy_module(slocate, 1.14.0)
+
+#################################
+#
+# Declarations
+#
+
+type locate_t;
+type locate_exec_t;
+init_system_domain(locate_t, locate_exec_t)
+
+type locate_var_lib_t;
+files_type(locate_var_lib_t)
+
+type locate_var_run_t;
+files_pid_file(locate_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid };
+allow locate_t self:process { execmem execheap execstack signal setsched };
+allow locate_t self:fifo_file rw_fifo_file_perms;
+allow locate_t self:unix_stream_socket create_socket_perms;
+
+manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+
+allow locate_t locate_var_run_t:file manage_file_perms;
+files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock")
+
+can_exec(locate_t, locate_exec_t)
+
+kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
+kernel_dontaudit_search_sysctl(locate_t)
+
+corecmd_exec_bin(locate_t)
+corecmd_exec_shell(locate_t)
+
+dev_getattr_all_blk_files(locate_t)
+dev_getattr_all_chr_files(locate_t)
+
+files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
+files_getattr_all_files(locate_t)
+files_getattr_all_pipes(locate_t)
+files_getattr_all_sockets(locate_t)
+files_read_etc_runtime_files(locate_t)
+
+fs_getattr_all_fs(locate_t)
+fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
+fs_list_all(locate_t)
+fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
+
+auth_use_nsswitch(locate_t)
+
+miscfiles_read_localization(locate_t)
+
+ifdef(`enable_mls',`
+ files_dontaudit_getattr_all_dirs(locate_t)
+')
+
+optional_policy(`
+ cron_system_entry(locate_t, locate_exec_t)
+')
diff --git a/policy/modules/apps/syncthing.fc b/policy/modules/apps/syncthing.fc
new file mode 100644
index 00000000..e95b451e
--- /dev/null
+++ b/policy/modules/apps/syncthing.fc
@@ -0,0 +1,3 @@
+/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+
+HOME_DIR/\.config/syncthing(/.*)? gen_context(system_u:object_r:syncthing_xdg_config_t,s0)
diff --git a/policy/modules/apps/syncthing.if b/policy/modules/apps/syncthing.if
new file mode 100644
index 00000000..2c0eb24c
--- /dev/null
+++ b/policy/modules/apps/syncthing.if
@@ -0,0 +1,31 @@
+## <summary>Application that lets you synchronize your files across multiple devices.</summary>
+
+########################################
+## <summary>
+## Role access for Syncthing
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`syncthing_role', `
+ gen_require(`
+ attribute_role syncthing_roles;
+ type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
+ ')
+
+ roleattribute $1 syncthing_roles;
+
+ domtrans_pattern($2, syncthing_exec_t, syncthing_t)
+
+ allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms };
+ allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+')
diff --git a/policy/modules/apps/syncthing.te b/policy/modules/apps/syncthing.te
new file mode 100644
index 00000000..5799b8e2
--- /dev/null
+++ b/policy/modules/apps/syncthing.te
@@ -0,0 +1,69 @@
+policy_module(syncthing, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
+
+########################################
+#
+# Declarations
+#
+
+allow syncthing_t self:process getsched;
+allow syncthing_t self:fifo_file rw_fifo_file_perms;
+allow syncthing_t self:tcp_socket { listen accept };
+
+can_exec(syncthing_t, syncthing_exec_t)
+
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
+
+kernel_read_kernel_sysctls(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+kernel_read_system_state(syncthing_t)
+
+corenet_tcp_sendrecv_generic_if(syncthing_t)
+corenet_udp_sendrecv_generic_if(syncthing_t)
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_tcp_sendrecv_generic_node(syncthing_t)
+corenet_tcp_sendrecv_all_ports(syncthing_t)
+corenet_udp_bind_generic_node(syncthing_t)
+corenet_udp_sendrecv_generic_node(syncthing_t)
+corenet_udp_sendrecv_all_ports(syncthing_t)
+corenet_tcp_connect_all_ports(syncthing_t)
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+fs_getattr_xattr_fs(syncthing_t)
+
+auth_use_nsswitch(syncthing_t)
+
+miscfiles_read_generic_certs(syncthing_t)
+miscfiles_read_localization(syncthing_t)
+
+userdom_user_content_access_template(syncthing, syncthing_t)
+
+userdom_use_user_terminals(syncthing_t)
+
+optional_policy(`
+ # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+ networkmanager_read_pid_files(syncthing_t)
+')
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
new file mode 100644
index 00000000..4600d815
--- /dev/null
+++ b/policy/modules/apps/telepathy.fc
@@ -0,0 +1,35 @@
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_xdg_cache_t,s0)
+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_cache_t, s0)
+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t, s0)
+HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_cache_t,s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0)
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_xdg_cache_t,s0)
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_xdg_data_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_xdg_data_t,s0)
+HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_xdg_data_t,s0)
+
+/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
+/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
+/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
+/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0)
+/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
+/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
+
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
index 00000000..d81dc193
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
@@ -0,0 +1,247 @@
+## <summary>Telepathy communications framework.</summary>
+
+#######################################
+## <summary>
+## The template to define a telepathy domain.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain prefix to be used.
+## </summary>
+## </param>
+#
+template(`telepathy_domain_template',`
+ gen_require(`
+ attribute telepathy_domain, telepathy_executable, telepathy_tmp_content;
+ ')
+
+ type telepathy_$1_t, telepathy_domain;
+ type telepathy_$1_exec_t, telepathy_executable;
+ userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+
+ type telepathy_$1_tmp_t, telepathy_tmp_content;
+ userdom_user_tmp_file(telepathy_$1_tmp_t)
+
+ optional_policy(`
+ wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ')
+
+ auth_use_nsswitch(telepathy_$1_t)
+')
+
+#######################################
+## <summary>
+## The role template for the telepathy module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for window manager applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`telepathy_role_template',`
+ gen_require(`
+ attribute telepathy_domain, telepathy_tmp_content;
+ type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
+ type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
+ type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
+ type telepathy_sofiasip_exec_t, telepathy_idle_exec_t;
+ type telepathy_logger_t, telepathy_logger_exec_t;
+ type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
+ type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
+ type telepathy_msn_exec_t;
+
+ type telepathy_mission_control_xdg_cache_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t;
+ type telepathy_gabble_xdg_cache_t, telepathy_mission_control_t, telepathy_xdg_data_t;
+ type telepathy_mission_control_xdg_data_t, telepathy_sunshine_home_t, telepathy_logger_xdg_data_t;
+ type telepathy_mission_control_home_t;
+ ')
+
+ role $2 types telepathy_domain;
+
+ allow $3 telepathy_domain:process { ptrace signal_perms };
+ ps_process_pattern($3, telepathy_domain)
+
+ telepathy_gabble_stream_connect($3)
+ telepathy_msn_stream_connect($3)
+ telepathy_salut_stream_connect($3)
+
+ dbus_spec_session_domain($1, telepathy_gabble_t, telepathy_gabble_exec_t)
+ dbus_spec_session_domain($1, telepathy_sofiasip_t, telepathy_sofiasip_exec_t)
+ dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t)
+ dbus_spec_session_domain($1, telepathy_logger_t, telepathy_logger_exec_t)
+ dbus_spec_session_domain($1, telepathy_mission_control_t, telepathy_mission_control_exec_t)
+ dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t)
+ dbus_spec_session_domain($1, telepathy_sunshine_t, telepathy_sunshine_exec_t)
+ dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t)
+ dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t)
+
+ allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms };
+
+ allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:file { manage_file_perms relabel_file_perms };
+
+ filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
+ # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
+
+ filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
+ # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
+
+ userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
+ filetrans_pattern($3, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
+ # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+
+ userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+
+ # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
+ # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy")
+
+ allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
+ allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
+ allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+
+ telepathy_mission_control_dbus_chat($3)
+')
+
+########################################
+## <summary>
+## Connect to gabble with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_gabble_stream_connect',`
+ gen_require(`
+ type telepathy_gabble_t, telepathy_gabble_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+')
+
+########################################
+## <summary>
+## Send dbus messages to and from
+## gabble.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_gabble_dbus_chat',`
+ gen_require(`
+ type telepathy_gabble_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_gabble_t:dbus send_msg;
+ allow telepathy_gabble_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send dbus messages to and from
+## mission control.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_mission_control_dbus_chat',`
+ gen_require(`
+ type telepathy_mission_control_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_mission_control_t:dbus send_msg;
+ allow telepathy_mission_control_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read mission control process state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_mission_control_read_state',`
+ gen_require(`
+ type telepathy_mission_control_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 telepathy_mission_control_t:dir list_dir_perms;
+ allow $1 telepathy_mission_control_t:file read_file_perms;
+ allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+## Connect to msn with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_msn_stream_connect',`
+ gen_require(`
+ type telepathy_msn_t, telepathy_msn_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+')
+
+########################################
+## <summary>
+## Connect to salut with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_salut_stream_connect',`
+ gen_require(`
+ type telepathy_salut_t, telepathy_salut_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
index 00000000..8f0997d9
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
@@ -0,0 +1,485 @@
+policy_module(telepathy, 1.8.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether telepathy connection
+## managers can connect to generic tcp ports.
+## </p>
+## </desc>
+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
+## <desc>
+## <p>
+## Determine whether telepathy connection
+## managers can connect to any port.
+## </p>
+## </desc>
+gen_tunable(telepathy_connect_all_ports, false)
+
+attribute telepathy_domain;
+attribute telepathy_executable;
+attribute telepathy_tmp_content;
+
+telepathy_domain_template(gabble)
+
+type telepathy_xdg_cache_t alias telepathy_cache_home_t;
+xdg_cache_content(telepathy_xdg_cache_t)
+
+type telepathy_gabble_xdg_cache_t alias telepathy_gabble_cache_home_t;
+xdg_cache_content(telepathy_gabble_xdg_cache_t)
+
+telepathy_domain_template(idle)
+telepathy_domain_template(logger)
+
+type telepathy_xdg_data_t alias telepathy_data_home_t;
+xdg_data_content(telepathy_xdg_data_t)
+
+type telepathy_logger_xdg_cache_t alias telepathy_logger_cache_home_t;
+xdg_cache_content(telepathy_logger_xdg_cache_t)
+
+type telepathy_logger_xdg_data_t alias telepathy_logger_data_home_t;
+xdg_data_content(telepathy_logger_xdg_data_t)
+
+telepathy_domain_template(mission_control)
+
+type telepathy_mission_control_home_t;
+userdom_user_home_content(telepathy_mission_control_home_t)
+
+type telepathy_mission_control_xdg_data_t alias telepathy_mission_control_data_home_t;
+xdg_data_content(telepathy_mission_control_xdg_data_t)
+
+type telepathy_mission_control_xdg_cache_t alias telepathy_mission_control_cache_home_t;
+xdg_cache_content(telepathy_mission_control_xdg_cache_t)
+
+telepathy_domain_template(msn)
+telepathy_domain_template(salut)
+telepathy_domain_template(sofiasip)
+telepathy_domain_template(stream_engine)
+telepathy_domain_template(sunshine)
+
+type telepathy_sunshine_home_t;
+userdom_user_home_content(telepathy_sunshine_home_t)
+
+#######################################
+#
+# Gabble local policy
+#
+
+allow telepathy_gabble_t self:tcp_socket { accept listen };
+allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
+
+# ~/.cache/telepathy/gabble/caps-cache.db-journal
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+manage_files_pattern(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+filetrans_pattern(telepathy_gabble_t, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble")
+# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_xdg_cache_t, dir, "wocky")
+
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
+corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
+corenet_all_recvfrom_netlabel(telepathy_gabble_t)
+corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
+corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
+
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_tcp_connect_http_port(telepathy_gabble_t)
+corenet_tcp_sendrecv_http_port(telepathy_gabble_t)
+
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
+corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t)
+
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t)
+
+dev_read_rand(telepathy_gabble_t)
+
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_all_certs(telepathy_gabble_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_sendrecv_all_client_packets(telepathy_gabble_t)
+ corenet_tcp_connect_all_ports(telepathy_gabble_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
+ corenet_tcp_connect_generic_port(telepathy_gabble_t)
+ corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_gabble_t)
+ fs_manage_nfs_files(telepathy_gabble_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_gabble_t)
+ fs_manage_cifs_files(telepathy_gabble_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_gabble_t)
+')
+
+# optional_policy(`
+ # ~/.config/dconf/user
+ # gnome_manage_generic_home_content(telepathy_gabble_t)
+# ')
+
+#######################################
+#
+# Idle local policy
+#
+
+corenet_all_recvfrom_netlabel(telepathy_idle_t)
+corenet_all_recvfrom_unlabeled(telepathy_idle_t)
+corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
+corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
+
+corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
+corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t)
+
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+corenet_tcp_sendrecv_ircd_port(telepathy_idle_t)
+
+dev_read_rand(telepathy_idle_t)
+
+files_read_usr_files(telepathy_idle_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_sendrecv_all_client_packets(telepathy_idle_t)
+ corenet_tcp_connect_all_ports(telepathy_idle_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_idle_t)
+ corenet_tcp_connect_generic_port(telepathy_idle_t)
+ corenet_tcp_sendrecv_generic_port(telepathy_idle_t)
+')
+
+#######################################
+#
+# Logger local policy
+#
+
+allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_cache_t, telepathy_logger_xdg_cache_t)
+filetrans_pattern(telepathy_logger_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger")
+
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_xdg_data_t, telepathy_logger_xdg_data_t)
+# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_xdg_data_t, dir, "TpLogger")
+
+files_read_usr_files(telepathy_logger_t)
+files_search_pids(telepathy_logger_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_logger_t)
+ fs_manage_nfs_files(telepathy_logger_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_logger_t)
+ fs_manage_cifs_files(telepathy_logger_t)
+')
+
+# optional_policy(`
+ # ~/.config/dconf/user
+ # gnome_manage_generic_home_content(telepathy_logger_t)
+# ')
+
+#######################################
+#
+# Mission-Control local policy
+#
+
+allow telepathy_mission_control_t self:process setsched;
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_data_t, telepathy_mission_control_xdg_data_t)
+filetrans_pattern(telepathy_mission_control_t, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control")
+
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, telepathy_mission_control_xdg_cache_t)
+# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_xdg_cache_t, file, ".mc_connections")
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_xdg_cache_t, telepathy_gabble_xdg_cache_t)
+
+dev_read_rand(telepathy_mission_control_t)
+
+files_list_tmp(telepathy_mission_control_t)
+files_read_usr_files(telepathy_mission_control_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_mission_control_t)
+ fs_manage_nfs_files(telepathy_mission_control_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_mission_control_t)
+ fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_mission_control_t)
+
+ optional_policy(`
+ devicekit_dbus_chat_power(telepathy_mission_control_t)
+ ')
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
+ ')
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_mission_control_t)
+ ')
+')
+
+# optional_policy(`
+ # ~/.config/dconf/user
+ # gnome_manage_generic_home_content(telepathy_mission_control_t)
+# ')
+
+#######################################
+#
+# Butterfly and Haze local policy
+#
+
+allow telepathy_msn_t self:process setsched;
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+
+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+corenet_all_recvfrom_netlabel(telepathy_msn_t)
+corenet_all_recvfrom_unlabeled(telepathy_msn_t)
+corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
+corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_sendrecv_http_port(telepathy_msn_t)
+
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t)
+
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_sendrecv_msnp_port(telepathy_msn_t)
+
+corenet_sendrecv_sip_client_packets(telepathy_msn_t)
+corenet_tcp_connect_sip_port(telepathy_msn_t)
+corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
+
+files_read_usr_files(telepathy_msn_t)
+
+init_read_state(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
+
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
+# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_sendrecv_all_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_all_ports(telepathy_msn_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_msn_t)
+ corenet_tcp_connect_generic_port(telepathy_msn_t)
+ corenet_tcp_sendrecv_generic_port(telepathy_msn_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_msn_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_msn_t)
+ ')
+')
+
+# optional_policy(`
+ # ~/.config/dconf/user
+ # gnome_manage_generic_home_content(telepathy_msn_t)
+# ')
+
+#######################################
+#
+# Salut local policy
+#
+
+allow telepathy_salut_t self:tcp_socket { accept listen };
+
+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
+files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
+
+corenet_all_recvfrom_netlabel(telepathy_salut_t)
+corenet_all_recvfrom_unlabeled(telepathy_salut_t)
+corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
+corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
+corenet_tcp_bind_generic_node(telepathy_salut_t)
+
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+corenet_tcp_bind_presence_port(telepathy_salut_t)
+corenet_sendrecv_presence_client_packets(telepathy_salut_t)
+corenet_tcp_connect_presence_port(telepathy_salut_t)
+corenet_tcp_sendrecv_presence_port(telepathy_salut_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_sendrecv_all_client_packets(telepathy_salut_t)
+ corenet_tcp_connect_all_ports(telepathy_salut_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_salut_t)
+ corenet_tcp_connect_generic_port(telepathy_salut_t)
+ corenet_tcp_sendrecv_generic_port(telepathy_salut_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_salut_t)
+
+ optional_policy(`
+ avahi_dbus_chat(telepathy_salut_t)
+ ')
+')
+
+#######################################
+#
+# Sofiasip local policy
+#
+
+allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
+allow telepathy_sofiasip_t self:tcp_socket { accept listen };
+
+corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
+corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
+corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
+corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
+corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
+corenet_raw_bind_generic_node(telepathy_sofiasip_t)
+
+corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
+corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+
+corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
+
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
+tunable_policy(`telepathy_connect_all_ports',`
+ corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
+ corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
+ corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
+')
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
+ corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
+ corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t)
+')
+
+#######################################
+#
+# Sunshine local policy
+#
+
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
+
+corecmd_exec_bin(telepathy_sunshine_t)
+
+files_read_usr_files(telepathy_sunshine_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_sunshine_t)
+ fs_manage_nfs_files(telepathy_sunshine_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_sunshine_t)
+ fs_manage_cifs_files(telepathy_sunshine_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(telepathy_sunshine_t)
+ xserver_stream_connect(telepathy_sunshine_t)
+')
+
+#######################################
+#
+# Common telepathy domain local policy
+#
+
+allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t)
+xdg_cache_filetrans(telepathy_domain, telepathy_xdg_cache_t, dir, "telepathy")
+
+manage_dirs_pattern(telepathy_domain, telepathy_xdg_data_t, telepathy_xdg_data_t)
+xdg_data_filetrans(telepathy_domain, telepathy_xdg_data_t, dir, "telepathy")
+
+dev_read_urand(telepathy_domain)
+
+kernel_read_system_state(telepathy_domain)
+
+fs_getattr_all_fs(telepathy_domain)
+fs_search_auto_mountpoints(telepathy_domain)
+
+miscfiles_read_localization(telepathy_domain)
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+')
+
+optional_policy(`
+ xserver_rw_xdm_pipes(telepathy_domain)
+')
diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc
new file mode 100644
index 00000000..eacb7a17
--- /dev/null
+++ b/policy/modules/apps/thunderbird.fc
@@ -0,0 +1,13 @@
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0)
+
+/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/lib/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+/opt/thunderbird/plugin-container -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/run-mozilla\.sh -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/thunderbird -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/thunderbird-bin -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+/opt/thunderbird/updater -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+')
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
new file mode 100644
index 00000000..9c5f0b91
--- /dev/null
+++ b/policy/modules/apps/thunderbird.if
@@ -0,0 +1,59 @@
+## <summary>Thunderbird email client.</summary>
+
+########################################
+## <summary>
+## Role access for thunderbird.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`thunderbird_role',`
+ gen_require(`
+ attribute_role thunderbird_roles;
+ type thunderbird_t, thunderbird_exec_t, thunderbird_home_t;
+ type thunderbird_tmpfs_t;
+ ')
+
+ roleattribute $1 thunderbird_roles;
+
+ domtrans_pattern($2, thunderbird_exec_t, thunderbird_t)
+
+ stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t)
+
+ allow thunderbird_t $2:unix_stream_socket connectto;
+
+ allow $2 thunderbird_t:process { ptrace signal_perms };
+ ps_process_pattern($2, thunderbird_t)
+
+ allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird")
+')
+
+########################################
+## <summary>
+## Execute thunderbird in the thunderbird domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thunderbird_domtrans',`
+ gen_require(`
+ type thunderbird_t, thunderbird_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
new file mode 100644
index 00000000..1f39efce
--- /dev/null
+++ b/policy/modules/apps/thunderbird.te
@@ -0,0 +1,217 @@
+policy_module(thunderbird, 2.7.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role thunderbird_roles;
+
+type thunderbird_t;
+type thunderbird_exec_t;
+typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
+typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
+userdom_user_application_domain(thunderbird_t, thunderbird_exec_t)
+role thunderbird_roles types thunderbird_t;
+
+type thunderbird_home_t;
+typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
+typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
+userdom_user_home_content(thunderbird_home_t)
+
+type thunderbird_tmpfs_t;
+typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
+typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
+userdom_user_tmpfs_file(thunderbird_tmpfs_t)
+
+type thunderbird_xdg_cache_t;
+xdg_cache_content(thunderbird_xdg_cache_t)
+
+optional_policy(`
+ wm_application_domain(thunderbird_t, thunderbird_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow thunderbird_t self:capability sys_nice;
+allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+allow thunderbird_t self:fifo_file rw_fifo_file_perms;
+allow thunderbird_t self:unix_dgram_socket create_socket_perms;
+allow thunderbird_t self:unix_stream_socket create_stream_socket_perms;
+allow thunderbird_t self:shm create_shm_perms;
+
+manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird")
+
+manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t)
+manage_dirs_pattern(thunderbird_t, thunderbird_xdg_cache_t, thunderbird_xdg_cache_t)
+xdg_cache_filetrans(thunderbird_t, thunderbird_xdg_cache_t, dir, "thunderbird")
+
+kernel_read_network_state(thunderbird_t)
+kernel_read_net_sysctls(thunderbird_t)
+kernel_read_system_state(thunderbird_t)
+
+corecmd_exec_shell(thunderbird_t)
+
+corenet_all_recvfrom_unlabeled(thunderbird_t)
+corenet_all_recvfrom_netlabel(thunderbird_t)
+corenet_tcp_sendrecv_generic_if(thunderbird_t)
+corenet_tcp_sendrecv_generic_node(thunderbird_t)
+
+corenet_sendrecv_ipp_client_packets(thunderbird_t)
+corenet_tcp_connect_ipp_port(thunderbird_t)
+corenet_tcp_sendrecv_ipp_port(thunderbird_t)
+
+corenet_sendrecv_innd_client_packets(thunderbird_t)
+corenet_tcp_connect_innd_port(thunderbird_t)
+corenet_tcp_sendrecv_innd_port(thunderbird_t)
+
+corenet_sendrecv_smtp_client_packets(thunderbird_t)
+corenet_tcp_connect_smtp_port(thunderbird_t)
+corenet_tcp_sendrecv_smtp_port(thunderbird_t)
+
+corenet_sendrecv_pop_client_packets(thunderbird_t)
+corenet_tcp_connect_pop_port(thunderbird_t)
+corenet_tcp_sendrecv_pop_port(thunderbird_t)
+
+corenet_sendrecv_http_client_packets(thunderbird_t)
+corenet_tcp_connect_http_port(thunderbird_t)
+corenet_tcp_sendrecv_http_port(thunderbird_t)
+
+dev_read_urand(thunderbird_t)
+dev_dontaudit_search_sysfs(thunderbird_t)
+
+files_list_tmp(thunderbird_t)
+files_map_usr_files(thunderbird_t)
+files_read_usr_files(thunderbird_t)
+files_read_etc_runtime_files(thunderbird_t)
+files_read_var_files(thunderbird_t)
+files_read_var_symlinks(thunderbird_t)
+files_dontaudit_getattr_all_tmp_files(thunderbird_t)
+files_dontaudit_getattr_boot_dirs(thunderbird_t)
+files_dontaudit_getattr_lost_found_dirs(thunderbird_t)
+files_dontaudit_search_mnt(thunderbird_t)
+
+fs_getattr_all_fs(thunderbird_t)
+fs_list_inotifyfs(thunderbird_t)
+fs_search_auto_mountpoints(thunderbird_t)
+
+auth_use_nsswitch(thunderbird_t)
+
+miscfiles_read_fonts(thunderbird_t)
+miscfiles_read_localization(thunderbird_t)
+
+userdom_write_user_tmp_sockets(thunderbird_t)
+userdom_manage_user_tmp_dirs(thunderbird_t)
+userdom_manage_user_tmp_files(thunderbird_t)
+userdom_user_content_access_template(thunderbird, thunderbird_t)
+
+xdg_read_data_files(thunderbird_t)
+xdg_manage_downloads(thunderbird_t)
+
+xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+xserver_read_xdm_tmp_files(thunderbird_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(thunderbird_t)
+ fs_manage_nfs_files(thunderbird_t)
+ fs_manage_nfs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(thunderbird_t)
+ fs_manage_cifs_files(thunderbird_t)
+ fs_manage_cifs_symlinks(thunderbird_t)
+')
+
+ifndef(`enable_mls',`
+ fs_search_removable(thunderbird_t)
+ fs_read_removable_files(thunderbird_t)
+ fs_read_removable_symlinks(thunderbird_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(thunderbird_t)
+ dbus_all_session_bus_client(thunderbird_t)
+
+ optional_policy(`
+ cups_dbus_chat(thunderbird_t)
+ ')
+
+ optional_policy(`
+ mozilla_dbus_chat(thunderbird_t)
+ ')
+')
+
+optional_policy(`
+ cups_read_rw_config(thunderbird_t)
+ cups_stream_connect(thunderbird_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(thunderbird_t)
+ gnome_domtrans_gconfd(thunderbird_t)
+ gnome_manage_generic_home_content(thunderbird_t)
+')
+
+optional_policy(`
+ gpg_domtrans(thunderbird_t)
+')
+
+optional_policy(`
+ lpd_run_lpr(thunderbird_t, thunderbird_roles)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(thunderbird_t)
+ mozilla_domtrans(thunderbird_t)
+')
+
+ifdef(`distro_gentoo',`
+ typealias thunderbird_xdg_cache_t alias thunderbird_xdg_cache_home_t;
+
+ type thunderbird_tmp_t;
+ userdom_user_tmp_file(thunderbird_tmp_t)
+
+ ################################
+ #
+ # Thunderbird local policy
+ #
+
+ # thunderbird-bin to execute stuff in /opt/thunderbird/
+ can_exec(thunderbird_t, thunderbird_exec_t)
+
+ manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
+ manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t)
+ files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file })
+
+ # File preview apps for instance
+ corecmd_exec_bin(thunderbird_t)
+
+ dev_read_sysfs(thunderbird_t)
+ dev_rw_dri(thunderbird_t)
+
+ userdom_use_user_ptys(thunderbird_t)
+
+ optional_policy(`
+ pulseaudio_domtrans(thunderbird_t)
+ pulseaudio_tmpfs_content(thunderbird_tmpfs_t)
+ ')
+')
+
+optional_policy(`
+ ooffice_domtrans(thunderbird_t)
+ ooffice_rw_tmp_files(thunderbird_t)
+')
diff --git a/policy/modules/apps/tvtime.fc b/policy/modules/apps/tvtime.fc
new file mode 100644
index 00000000..92cb760a
--- /dev/null
+++ b/policy/modules/apps/tvtime.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.tvtime(/.*)? gen_context(system_u:object_r:tvtime_home_t,s0)
+
+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
new file mode 100644
index 00000000..1bb0f7c7
--- /dev/null
+++ b/policy/modules/apps/tvtime.if
@@ -0,0 +1,38 @@
+## <summary>High quality television application.</summary>
+
+########################################
+## <summary>
+## Role access for tvtime
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`tvtime_role',`
+ gen_require(`
+ attribute_role tvtime_roles;
+ type tvtime_t, tvtime_exec_t, tvtime_tmp_t;
+ type tvtime_home_t, tvtime_tmpfs_t;
+ ')
+
+ roleattribute $1 tvtime_roles;
+
+ domtrans_pattern($2, tvtime_exec_t, tvtime_t)
+
+ ps_process_pattern($2, tvtime_t)
+ allow $2 tvtime_t:process { ptrace signal_perms };
+
+ allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime")
+')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
new file mode 100644
index 00000000..1b138dd8
--- /dev/null
+++ b/policy/modules/apps/tvtime.te
@@ -0,0 +1,94 @@
+policy_module(tvtime, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role tvtime_roles;
+
+type tvtime_t;
+type tvtime_exec_t;
+typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
+typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
+userdom_user_application_domain(tvtime_t, tvtime_exec_t)
+role tvtime_roles types tvtime_t;
+
+type tvtime_home_t alias tvtime_rw_t;
+typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
+typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
+userdom_user_home_content(tvtime_home_t)
+
+type tvtime_tmp_t;
+typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
+typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
+userdom_user_tmp_file(tvtime_tmp_t)
+
+type tvtime_tmpfs_t;
+typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
+typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
+userdom_user_tmpfs_file(tvtime_tmpfs_t)
+
+optional_policy(`
+ wm_application_domain(tvtime_t, tvtime_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow tvtime_t self:capability { setuid sys_nice sys_resource };
+allow tvtime_t self:process setsched;
+allow tvtime_t self:unix_dgram_socket rw_socket_perms;
+allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir })
+
+manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_all_sysctls(tvtime_t)
+kernel_get_sysvipc_info(tvtime_t)
+
+dev_read_realtime_clock(tvtime_t)
+dev_read_sound(tvtime_t)
+dev_read_urand(tvtime_t)
+
+files_read_usr_files(tvtime_t)
+
+fs_getattr_all_fs(tvtime_t)
+fs_search_auto_mountpoints(tvtime_t)
+
+auth_use_nsswitch(tvtime_t)
+
+miscfiles_read_fonts(tvtime_t)
+miscfiles_read_localization(tvtime_t)
+
+userdom_use_user_terminals(tvtime_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(tvtime_t)
+ fs_manage_nfs_files(tvtime_t)
+ fs_manage_nfs_symlinks(tvtime_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(tvtime_t)
+ fs_manage_cifs_files(tvtime_t)
+ fs_manage_cifs_symlinks(tvtime_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+')
diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc
new file mode 100644
index 00000000..567966e0
--- /dev/null
+++ b/policy/modules/apps/uml.fc
@@ -0,0 +1,5 @@
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0)
+
+/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
+
+/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
new file mode 100644
index 00000000..ab5c1d0d
--- /dev/null
+++ b/policy/modules/apps/uml.if
@@ -0,0 +1,81 @@
+## <summary>User mode linux tools and services.</summary>
+
+########################################
+## <summary>
+## Role access for uml.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`uml_role',`
+ gen_require(`
+ attribute_role uml_roles;
+ type uml_t, uml_exec_t;
+ type uml_ro_t, uml_rw_t, uml_tmp_t;
+ type uml_devpts_t, uml_tmpfs_t;
+ ')
+
+ roleattribute $1 uml_roles;
+
+ domtrans_pattern($2, uml_exec_t, uml_t)
+
+ dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t)
+
+ allow uml_t $2:unix_dgram_socket sendto;
+
+ ps_process_pattern($2, uml_t)
+ allow $2 uml_t:process { ptrace signal_perms };
+
+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml")
+')
+
+########################################
+## <summary>
+## Set attributes of uml pid sock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uml_setattr_util_sockets',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## uml pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uml_manage_util_files',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+ manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+')
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
new file mode 100644
index 00000000..0e2f4c99
--- /dev/null
+++ b/policy/modules/apps/uml.te
@@ -0,0 +1,185 @@
+policy_module(uml, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role uml_roles;
+
+type uml_t;
+type uml_exec_t; # customizable
+typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
+typealias uml_t alias { auditadm_uml_t secadm_uml_t };
+userdom_user_application_domain(uml_t, uml_exec_t)
+role uml_roles types uml_t;
+
+type uml_ro_t; # customizable
+typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
+userdom_user_home_content(uml_ro_t)
+
+type uml_rw_t;
+typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+userdom_user_home_content(uml_rw_t)
+
+type uml_tmp_t;
+typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
+userdom_user_tmp_file(uml_tmp_t)
+
+type uml_tmpfs_t;
+typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
+typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
+userdom_user_tmpfs_file(uml_tmpfs_t)
+
+type uml_devpts_t;
+typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
+typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t };
+term_pty(uml_devpts_t)
+ubac_constrained(uml_devpts_t)
+
+type uml_switch_t;
+type uml_switch_exec_t;
+init_daemon_domain(uml_switch_t, uml_switch_exec_t)
+
+type uml_switch_var_run_t;
+files_pid_file(uml_switch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow uml_t self:process signal_perms;
+allow uml_t self:fifo_file rw_fifo_file_perms;
+allow uml_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_t self:tcp_socket { accept listen };
+allow uml_t self:tun_socket create;
+allow uml_t self:unix_dgram_socket { create_socket_perms sendto };
+
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr_chr_file_perms };
+term_create_pty(uml_t, uml_devpts_t)
+
+manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
+
+manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+allow uml_t uml_ro_t:dir list_dir_perms;
+allow uml_t uml_ro_t:file read_file_perms;
+allow uml_t uml_ro_t:lnk_file read_lnk_file_perms;
+
+manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, dir, ".uml")
+
+can_exec(uml_t, { uml_exec_t uml_tmp_t uml_tmpfs_t })
+
+kernel_read_system_state(uml_t)
+kernel_write_proc_files(uml_t)
+
+corecmd_exec_bin(uml_t)
+
+corenet_all_recvfrom_unlabeled(uml_t)
+corenet_all_recvfrom_netlabel(uml_t)
+corenet_tcp_sendrecv_generic_if(uml_t)
+corenet_tcp_sendrecv_generic_node(uml_t)
+corenet_tcp_sendrecv_all_ports(uml_t)
+
+corenet_sendrecv_all_client_packets(uml_t)
+corenet_tcp_connect_all_ports(uml_t)
+
+corenet_rw_tun_tap_dev(uml_t)
+
+domain_use_interactive_fds(uml_t)
+
+files_dontaudit_read_etc_runtime_files(uml_t)
+
+fs_getattr_all_fs(uml_t)
+fs_search_auto_mountpoints(uml_t)
+
+auth_use_nsswitch(uml_t)
+
+init_read_utmp(uml_t)
+init_dontaudit_write_utmp(uml_t)
+
+libs_exec_lib_files(uml_t)
+
+userdom_use_user_terminals(uml_t)
+userdom_attach_admin_tun_iface(uml_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(uml_t)
+ fs_manage_nfs_files(uml_t)
+ fs_manage_nfs_named_pipes(uml_t)
+ fs_manage_nfs_symlinks(uml_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(uml_t)
+ fs_manage_cifs_files(uml_t)
+ fs_manage_cifs_named_pipes(uml_t)
+ fs_manage_cifs_symlinks(uml_t)
+')
+
+optional_policy(`
+ seutil_use_newrole_fds(uml_t)
+')
+
+optional_policy(`
+ virt_attach_tun_iface(uml_t)
+')
+
+########################################
+#
+# Switch local policy
+#
+
+dontaudit uml_switch_t self:capability sys_tty_config;
+allow uml_switch_t self:process signal_perms;
+allow uml_switch_t self:unix_stream_socket { accept listen };
+
+manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file)
+
+kernel_read_kernel_sysctls(uml_switch_t)
+kernel_list_proc(uml_switch_t)
+kernel_read_proc_symlinks(uml_switch_t)
+
+dev_read_sysfs(uml_switch_t)
+
+domain_use_interactive_fds(uml_switch_t)
+
+fs_getattr_all_fs(uml_switch_t)
+fs_search_auto_mountpoints(uml_switch_t)
+
+term_dontaudit_use_console(uml_switch_t)
+
+init_use_fds(uml_switch_t)
+init_use_script_ptys(uml_switch_t)
+
+logging_send_syslog_msg(uml_switch_t)
+
+miscfiles_read_localization(uml_switch_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
+userdom_dontaudit_search_user_home_dirs(uml_switch_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(uml_switch_t)
+')
+
+optional_policy(`
+ udev_read_db(uml_switch_t)
+')
diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc
new file mode 100644
index 00000000..6a2cd2f0
--- /dev/null
+++ b/policy/modules/apps/userhelper.fc
@@ -0,0 +1,6 @@
+/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
+/usr/bin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
new file mode 100644
index 00000000..2cdbf67e
--- /dev/null
+++ b/policy/modules/apps/userhelper.if
@@ -0,0 +1,231 @@
+## <summary>A wrapper that helps users run system programs.</summary>
+
+#######################################
+## <summary>
+## The role template for the userhelper module.
+## </summary>
+## <param name="userrole_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+template(`userhelper_role_template',`
+ gen_require(`
+ attribute userhelper_type, consolehelper_type;
+ attribute_role userhelper_roles, consolehelper_roles;
+ type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_consolehelper_t, consolehelper_type;
+ userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
+
+ role consolehelper_roles types $1_consolehelper_t;
+ roleattribute $2 consolehelper_roles;
+
+ type $1_userhelper_t, userhelper_type;
+ userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
+
+ domain_role_change_exemption($1_userhelper_t)
+ domain_obj_id_change_exemption($1_userhelper_t)
+ domain_interactive_fd($1_userhelper_t)
+ domain_subj_id_change_exemption($1_userhelper_t)
+
+ role userhelper_roles types $1_userhelper_t;
+ roleattribute $2 userhelper_roles;
+
+ ########################################
+ #
+ # Consolehelper local policy
+ #
+
+ allow $1_consolehelper_t $3:unix_stream_socket connectto;
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+ allow $3 $1_consolehelper_t:process { ptrace signal_perms };
+ ps_process_pattern($3, $1_consolehelper_t)
+
+ auth_use_pam($1_consolehelper_t)
+
+ optional_policy(`
+ dbus_connect_all_session_bus($1_consolehelper_t)
+
+ optional_policy(`
+ userhelper_dbus_chat_all_consolehelper($3)
+ ')
+ ')
+
+ ########################################
+ #
+ # Userhelper local policy
+ #
+
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+
+ dontaudit $3 $1_userhelper_t:process signal;
+
+ corecmd_bin_domtrans($1_userhelper_t, $3)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_use_nsswitch($1_userhelper_t)
+
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+ optional_policy(`
+ tunable_policy(`! secure_mode',`
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+ sysadm_entry_spec_domtrans($1_userhelper_t)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Search userhelper configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## userhelper configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## consolehelper over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_dbus_chat_all_consolehelper',`
+ gen_require(`
+ attribute consolehelper_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolehelper_type:dbus send_msg;
+ allow consolehelper_type $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Use userhelper all userhelper file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_use_fd',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:fd use;
+')
+
+########################################
+## <summary>
+## Send child terminated signals to all userhelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_sigchld',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the userhelper program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_exec',`
+ gen_require(`
+ type userhelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, userhelper_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the consolehelper program
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_exec_consolehelper',`
+ gen_require(`
+ type consolehelper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
new file mode 100644
index 00000000..bffbc94c
--- /dev/null
+++ b/policy/modules/apps/userhelper.te
@@ -0,0 +1,163 @@
+policy_module(userhelper, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute consolehelper_type;
+attribute userhelper_type;
+
+attribute_role consolehelper_roles;
+attribute_role userhelper_roles;
+
+type userhelper_conf_t;
+files_config_file(userhelper_conf_t)
+
+type userhelper_exec_t;
+application_executable_file(userhelper_exec_t)
+
+type consolehelper_exec_t;
+application_executable_file(consolehelper_exec_t)
+
+########################################
+#
+# Common consolehelper domain local policy
+#
+
+allow consolehelper_type self:capability { dac_override setgid setuid };
+allow consolehelper_type self:process signal;
+allow consolehelper_type self:fifo_file rw_fifo_file_perms;
+allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
+allow consolehelper_type self:shm create_shm_perms;
+
+dontaudit consolehelper_type userhelper_conf_t:file audit_access;
+read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+
+domain_use_interactive_fds(consolehelper_type)
+
+kernel_read_system_state(consolehelper_type)
+kernel_read_kernel_sysctls(consolehelper_type)
+
+corecmd_exec_bin(consolehelper_type)
+
+dev_getattr_all_chr_files(consolehelper_type)
+dev_dontaudit_list_all_dev_nodes(consolehelper_type)
+
+files_read_config_files(consolehelper_type)
+files_read_usr_files(consolehelper_type)
+
+fs_getattr_all_dirs(consolehelper_type)
+fs_getattr_all_fs(consolehelper_type)
+fs_search_auto_mountpoints(consolehelper_type)
+files_search_mnt(consolehelper_type)
+
+term_list_ptys(consolehelper_type)
+
+auth_search_pam_console_data(consolehelper_type)
+auth_read_pam_pid(consolehelper_type)
+
+miscfiles_read_localization(consolehelper_type)
+miscfiles_read_fonts(consolehelper_type)
+
+userhelper_exec(consolehelper_type)
+
+userdom_use_user_terminals(consolehelper_type)
+
+# might want to make this consolehelper_tmp_t
+userdom_manage_user_tmp_dirs(consolehelper_type)
+userdom_manage_user_tmp_files(consolehelper_type)
+userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(consolehelper_type)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(consolehelper_type)
+')
+
+optional_policy(`
+ shutdown_run(consolehelper_type, consolehelper_roles)
+ shutdown_signal(consolehelper_type)
+')
+
+optional_policy(`
+ xserver_domtrans_xauth(consolehelper_type)
+ xserver_read_xdm_pid(consolehelper_type)
+ xserver_stream_connect(consolehelper_type)
+')
+
+########################################
+#
+# Common userhelper domain local policy
+#
+
+allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
+allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow userhelper_type self:fd use;
+allow userhelper_type self:fifo_file rw_fifo_file_perms;
+allow userhelper_type self:shm create_shm_perms;
+allow userhelper_type self:sem create_sem_perms;
+allow userhelper_type self:msgq create_msgq_perms;
+allow userhelper_type self:msg { send receive };
+allow userhelper_type self:unix_dgram_socket sendto;
+allow userhelper_type self:unix_stream_socket { accept connectto listen };
+
+dontaudit userhelper_type userhelper_conf_t:file audit_access;
+read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
+
+can_exec(userhelper_type, userhelper_exec_t)
+
+kernel_read_all_sysctls(userhelper_type)
+kernel_getattr_debugfs(userhelper_type)
+kernel_read_system_state(userhelper_type)
+
+corecmd_exec_shell(userhelper_type)
+
+domain_use_interactive_fds(userhelper_type)
+domain_sigchld_interactive_fds(userhelper_type)
+
+dev_read_urand(userhelper_type)
+dev_list_all_dev_nodes(userhelper_type)
+
+files_list_var_lib(userhelper_type)
+files_read_var_files(userhelper_type)
+files_read_var_symlinks(userhelper_type)
+files_search_home(userhelper_type)
+
+fs_getattr_all_fs(userhelper_type)
+fs_search_auto_mountpoints(userhelper_type)
+
+selinux_get_fs_mount(userhelper_type)
+selinux_validate_context(userhelper_type)
+selinux_compute_access_vector(userhelper_type)
+selinux_compute_create_context(userhelper_type)
+selinux_compute_relabel_context(userhelper_type)
+selinux_compute_user_contexts(userhelper_type)
+
+term_list_ptys(userhelper_type)
+term_relabel_all_ttys(userhelper_type)
+term_relabel_all_ptys(userhelper_type)
+term_use_all_ttys(userhelper_type)
+term_use_all_ptys(userhelper_type)
+
+auth_manage_pam_pid(userhelper_type)
+auth_manage_var_auth(userhelper_type)
+auth_search_pam_console_data(userhelper_type)
+
+init_use_fds(userhelper_type)
+init_manage_utmp(userhelper_type)
+init_pid_filetrans_utmp(userhelper_type)
+
+logging_send_syslog_msg(userhelper_type)
+
+miscfiles_read_localization(userhelper_type)
+
+seutil_read_config(userhelper_type)
+seutil_read_default_contexts(userhelper_type)
+
+optional_policy(`
+ rpm_domtrans(userhelper_type)
+')
diff --git a/policy/modules/apps/usernetctl.fc b/policy/modules/apps/usernetctl.fc
new file mode 100644
index 00000000..72f38b1b
--- /dev/null
+++ b/policy/modules/apps/usernetctl.fc
@@ -0,0 +1,3 @@
+/usr/bin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
+
+/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
new file mode 100644
index 00000000..7deec55c
--- /dev/null
+++ b/policy/modules/apps/usernetctl.if
@@ -0,0 +1,47 @@
+## <summary>User network interface configuration helper.</summary>
+
+########################################
+## <summary>
+## Execute usernetctl in the usernetctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usernetctl_domtrans',`
+ gen_require(`
+ type usernetctl_t, usernetctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, usernetctl_exec_t, usernetctl_t)
+')
+
+########################################
+## <summary>
+## Execute usernetctl in the usernetctl
+## domain, and allow the specified role
+## the usernetctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usernetctl_run',`
+ gen_require(`
+ attribute_role usernetctl_roles;
+ ')
+
+ usernetctl_domtrans($1)
+ roleattribute $2 usernetctl_roles;
+')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
new file mode 100644
index 00000000..4ef6f9b2
--- /dev/null
+++ b/policy/modules/apps/usernetctl.te
@@ -0,0 +1,78 @@
+policy_module(usernetctl, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role usernetctl_roles;
+
+type usernetctl_t;
+type usernetctl_exec_t;
+application_domain(usernetctl_t, usernetctl_exec_t)
+domain_interactive_fd(usernetctl_t)
+role usernetctl_roles types usernetctl_t;
+
+########################################
+#
+# Local policy
+#
+
+allow usernetctl_t self:capability { dac_override setgid setuid };
+allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow usernetctl_t self:fd use;
+allow usernetctl_t self:fifo_file rw_fifo_file_perms;
+allow usernetctl_t self:unix_dgram_socket sendto;
+allow usernetctl_t self:unix_stream_socket { accept connectto listen };
+
+can_exec(usernetctl_t, usernetctl_exec_t)
+
+kernel_read_system_state(usernetctl_t)
+kernel_read_kernel_sysctls(usernetctl_t)
+
+corecmd_list_bin(usernetctl_t)
+corecmd_exec_bin(usernetctl_t)
+corecmd_exec_shell(usernetctl_t)
+
+domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+files_exec_etc_files(usernetctl_t)
+files_read_etc_runtime_files(usernetctl_t)
+files_list_pids(usernetctl_t)
+files_list_home(usernetctl_t)
+files_read_usr_files(usernetctl_t)
+
+fs_search_auto_mountpoints(usernetctl_t)
+
+auth_use_nsswitch(usernetctl_t)
+
+logging_send_syslog_msg(usernetctl_t)
+
+miscfiles_read_localization(usernetctl_t)
+
+seutil_read_config(usernetctl_t)
+
+sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+
+userdom_use_user_terminals(usernetctl_t)
+
+optional_policy(`
+ consoletype_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+ hostname_exec(usernetctl_t)
+')
+
+optional_policy(`
+ iptables_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+ modutils_run(usernetctl_t, usernetctl_roles)
+')
+
+optional_policy(`
+ ppp_run(usernetctl_t, usernetctl_roles)
+')
diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc
new file mode 100644
index 00000000..f668cde9
--- /dev/null
+++ b/policy/modules/apps/vlock.fc
@@ -0,0 +1,4 @@
+/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
+/usr/bin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
+
+/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if
new file mode 100644
index 00000000..d5fc09ac
--- /dev/null
+++ b/policy/modules/apps/vlock.if
@@ -0,0 +1,47 @@
+## <summary>Lock one or more sessions on the Linux console.</summary>
+
+#######################################
+## <summary>
+## Execute vlock in the vlock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vlock_domtrans',`
+ gen_require(`
+ type vlock_t, vlock_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vlock_exec_t, vlock_t)
+')
+
+########################################
+## <summary>
+## Execute vlock in the vlock domain,
+## and allow the specified role
+## the vlock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed to access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vlock_run',`
+ gen_require(`
+ attribute_role vlock_roles;
+ ')
+
+ vlock_domtrans($1)
+ roleattribute $2 vlock_roles;
+')
diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te
new file mode 100644
index 00000000..f025f7c1
--- /dev/null
+++ b/policy/modules/apps/vlock.te
@@ -0,0 +1,43 @@
+policy_module(vlock, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role vlock_roles;
+
+type vlock_t;
+type vlock_exec_t;
+application_domain(vlock_t, vlock_exec_t)
+role vlock_roles types vlock_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit vlock_t self:capability { setgid setuid };
+allow vlock_t self:fd use;
+allow vlock_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(vlock_t)
+
+corecmd_list_bin(vlock_t)
+
+domain_use_interactive_fds(vlock_t)
+
+files_dontaudit_search_home(vlock_t)
+
+mls_file_write_all_levels(vlock_t)
+
+selinux_dontaudit_getattr_fs(vlock_t)
+
+auth_use_pam(vlock_t)
+
+init_dontaudit_rw_utmp(vlock_t)
+
+miscfiles_read_localization(vlock_t)
+
+userdom_dontaudit_search_user_home_dirs(vlock_t)
+userdom_use_user_terminals(vlock_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
new file mode 100644
index 00000000..b1557721
--- /dev/null
+++ b/policy/modules/apps/vmware.fc
@@ -0,0 +1,54 @@
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+
+/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
+/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
new file mode 100644
index 00000000..20a1fb29
--- /dev/null
+++ b/policy/modules/apps/vmware.if
@@ -0,0 +1,114 @@
+## <summary>VMWare Workstation virtual machines.</summary>
+
+########################################
+## <summary>
+## Role access for vmware.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`vmware_role',`
+ gen_require(`
+ type vmware_t, vmware_exec_t, vmware_file_t;
+ type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t;
+ ')
+
+ role $1 types vmware_t;
+
+ domtrans_pattern($2, vmware_exec_t, vmware_t)
+
+ ps_process_pattern($2, vmware_t)
+ allow $2 vmware_t:process { ptrace signal_perms };
+
+ allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware")
+ userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware")
+')
+
+########################################
+## <summary>
+## Execute vmware host executables
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+ gen_require(`
+ type vmware_host_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, vmware_host_exec_t)
+')
+
+########################################
+## <summary>
+## Read vmware system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_read_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 vmware_sys_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Append vmware system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 vmware_sys_conf_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Append vmware log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_log',`
+ gen_require(`
+ type vmware_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, vmware_log_t, vmware_log_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
new file mode 100644
index 00000000..441fe9ef
--- /dev/null
+++ b/policy/modules/apps/vmware.te
@@ -0,0 +1,283 @@
+policy_module(vmware, 2.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type vmware_t;
+type vmware_exec_t;
+typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
+typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
+userdom_user_application_domain(vmware_t, vmware_exec_t)
+
+type vmware_conf_t;
+typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
+typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
+userdom_user_home_content(vmware_conf_t)
+
+type vmware_file_t;
+typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
+typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
+userdom_user_home_content(vmware_file_t)
+
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t, vmware_host_exec_t)
+
+type vmware_host_pid_t alias vmware_var_run_t;
+files_pid_file(vmware_host_pid_t)
+
+type vmware_host_tmp_t;
+userdom_user_tmp_file(vmware_host_tmp_t)
+
+type vmware_log_t;
+typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
+logging_log_file(vmware_log_t)
+ubac_constrained(vmware_log_t)
+
+type vmware_pid_t;
+typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
+typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
+files_pid_file(vmware_pid_t)
+ubac_constrained(vmware_pid_t)
+
+type vmware_sys_conf_t;
+files_config_file(vmware_sys_conf_t)
+
+type vmware_tmp_t;
+typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
+typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
+userdom_user_tmp_file(vmware_tmp_t)
+
+type vmware_tmpfs_t;
+typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
+typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
+userdom_user_tmpfs_file(vmware_tmpfs_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
+')
+
+optional_policy(`
+ wm_application_domain(vmware_t, vmware_exec_t)
+')
+
+########################################
+#
+# Host local policy
+#
+
+allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time };
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process { execstack execmem signal_perms };
+allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+allow vmware_host_t self:unix_stream_socket { accept listen };
+allow vmware_host_t self:rawip_socket create_socket_perms;
+
+manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
+
+manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
+
+append_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+create_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+setattr_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_host_t, vmware_log_t, file)
+
+can_exec(vmware_host_t, vmware_host_exec_t)
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
+
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
+corenet_tcp_sendrecv_generic_if(vmware_host_t)
+corenet_udp_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_tcp_sendrecv_generic_node(vmware_host_t)
+corenet_udp_sendrecv_generic_node(vmware_host_t)
+corenet_raw_sendrecv_generic_node(vmware_host_t)
+corenet_tcp_sendrecv_all_ports(vmware_host_t)
+
+corenet_sendrecv_all_client_packets(vmware_host_t)
+corenet_tcp_connect_all_ports(vmware_host_t)
+
+corecmd_exec_bin(vmware_host_t)
+corecmd_exec_shell(vmware_host_t)
+
+dev_getattr_all_blk_files(vmware_host_t)
+dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+domain_dontaudit_read_all_domains_state(vmware_host_t)
+
+files_list_tmp(vmware_host_t)
+files_read_etc_files(vmware_host_t)
+files_read_etc_runtime_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+storage_getattr_fixed_disk_dev(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_exec_ld_so(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+sysnet_dns_name_resolve(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+
+netutils_domtrans_ping(vmware_host_t)
+
+optional_policy(`
+ hostname_exec(vmware_host_t)
+')
+
+optional_policy(`
+ modutils_domtrans(vmware_host_t)
+')
+
+optional_policy(`
+ samba_read_config(vmware_host_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(vmware_host_t)
+')
+
+optional_policy(`
+ udev_read_db(vmware_host_t)
+')
+
+optional_policy(`
+ xserver_read_tmp_files(vmware_host_t)
+ xserver_read_xdm_pid(vmware_host_t)
+')
+
+########################################
+#
+# Guest local policy
+#
+
+allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource };
+dontaudit vmware_t self:capability sys_tty_config;
+allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
+allow vmware_t self:fd use;
+allow vmware_t self:fifo_file rw_fifo_file_perms;
+allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
+allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vmware_t self:shm create_shm_perms;
+allow vmware_t self:sem create_sem_perms;
+allow vmware_t self:msgq create_msgq_perms;
+allow vmware_t self:msg { send receive };
+
+allow vmware_t vmware_conf_t:file manage_file_perms;
+
+manage_dirs_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, ".vmware")
+userdom_user_home_dir_filetrans(vmware_t, vmware_file_t, dir, "vmware")
+
+manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
+
+manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
+read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
+
+can_exec(vmware_t, { vmware_tmp_t vmware_exec_t })
+
+kernel_read_system_state(vmware_t)
+kernel_read_network_state(vmware_t)
+kernel_read_kernel_sysctls(vmware_t)
+
+corecmd_exec_bin(vmware_t)
+corecmd_exec_shell(vmware_t)
+
+dev_read_raw_memory(vmware_t)
+dev_write_raw_memory(vmware_t)
+dev_read_mouse(vmware_t)
+dev_write_sound(vmware_t)
+dev_read_realtime_clock(vmware_t)
+dev_rwx_vmware(vmware_t)
+dev_rw_usbfs(vmware_t)
+dev_search_sysfs(vmware_t)
+
+domain_use_interactive_fds(vmware_t)
+
+files_read_etc_files(vmware_t)
+files_read_etc_runtime_files(vmware_t)
+files_read_usr_files(vmware_t)
+files_list_home(vmware_t)
+
+fs_getattr_all_fs(vmware_t)
+fs_search_auto_mountpoints(vmware_t)
+
+storage_raw_read_removable_device(vmware_t)
+storage_raw_write_removable_device(vmware_t)
+
+libs_exec_ld_so(vmware_t)
+libs_read_lib_files(vmware_t)
+
+miscfiles_read_localization(vmware_t)
+
+userdom_use_user_terminals(vmware_t)
+userdom_list_user_home_dirs(vmware_t)
+
+sysnet_dns_name_resolve(vmware_t)
+
+xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(vmware_t)
+ fs_manage_nfs_files(vmware_t)
+ fs_manage_nfs_symlinks(vmware_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(vmware_t)
+ fs_manage_cifs_files(vmware_t)
+ fs_manage_cifs_symlinks(vmware_t)
+')
diff --git a/policy/modules/apps/webalizer.fc b/policy/modules/apps/webalizer.fc
new file mode 100644
index 00000000..64baf679
--- /dev/null
+++ b/policy/modules/apps/webalizer.fc
@@ -0,0 +1,9 @@
+/etc/webalizer\.conf -- gen_context(system_u:object_r:webalizer_etc_t,s0)
+
+/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+/usr/bin/webazolver -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+
+/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
+
+/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
new file mode 100644
index 00000000..cc831b6d
--- /dev/null
+++ b/policy/modules/apps/webalizer.if
@@ -0,0 +1,67 @@
+## <summary>Web server log analysis.</summary>
+
+########################################
+## <summary>
+## Execute webalizer in the webalizer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`webalizer_domtrans',`
+ gen_require(`
+ type webalizer_t, webalizer_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, webalizer_exec_t, webalizer_t)
+')
+
+########################################
+## <summary>
+## Execute webalizer in the webalizer
+## domain, and allow the specified
+## role the webalizer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webalizer_run',`
+ gen_require(`
+ attribute_role webalizer_roles;
+ ')
+
+ webalizer_domtrans($1)
+ roleattribute $2 webalizer_roles;
+')
+
+########################################
+## <summary>
+## Manage webalizer usage files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to manage webalizer usage files
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`manage_webalizer_var_lib',`
+ gen_require(`
+ type webalizer_var_lib_t;
+ ')
+
+ allow $1 webalizer_var_lib_t:dir manage_dir_perms;
+ allow $1 webalizer_var_lib_t:file manage_file_perms;
+')
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
new file mode 100644
index 00000000..da454655
--- /dev/null
+++ b/policy/modules/apps/webalizer.te
@@ -0,0 +1,95 @@
+policy_module(webalizer, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role webalizer_roles;
+roleattribute system_r webalizer_roles;
+
+type webalizer_t;
+type webalizer_exec_t;
+application_domain(webalizer_t, webalizer_exec_t)
+role webalizer_roles types webalizer_t;
+
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
+
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
+type webalizer_tmp_t;
+files_tmp_file(webalizer_tmp_t)
+
+type webalizer_var_lib_t;
+files_type(webalizer_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow webalizer_t self:capability dac_override;
+allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow webalizer_t self:fd use;
+allow webalizer_t self:fifo_file rw_fifo_file_perms;
+allow webalizer_t self:unix_dgram_socket sendto;
+allow webalizer_t self:unix_stream_socket { accept connectto listen };
+allow webalizer_t self:tcp_socket { accept listen };
+
+allow webalizer_t webalizer_etc_t:file read_file_perms;
+
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
+manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+
+manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
+files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
+
+can_exec(webalizer_t, webalizer_exec_t)
+
+kernel_read_kernel_sysctls(webalizer_t)
+kernel_read_system_state(webalizer_t)
+
+files_read_etc_runtime_files(webalizer_t)
+files_read_usr_files(webalizer_t)
+
+fs_search_auto_mountpoints(webalizer_t)
+fs_getattr_xattr_fs(webalizer_t)
+fs_rw_anon_inodefs_files(webalizer_t)
+
+auth_use_nsswitch(webalizer_t)
+
+logging_list_logs(webalizer_t)
+logging_send_syslog_msg(webalizer_t)
+
+miscfiles_read_localization(webalizer_t)
+miscfiles_read_public_files(webalizer_t)
+miscfiles_read_fonts(webalizer_t)
+
+userdom_use_user_terminals(webalizer_t)
+userdom_use_unpriv_users_fds(webalizer_t)
+userdom_dontaudit_search_user_home_content(webalizer_t)
+
+optional_policy(`
+ apache_read_log(webalizer_t)
+ apache_content_template(webalizer)
+ manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+')
+
+optional_policy(`
+ cron_system_entry(webalizer_t, webalizer_exec_t)
+')
+
+optional_policy(`
+ ftp_read_log(webalizer_t)
+')
+
+optional_policy(`
+ squid_read_log(webalizer_t)
+')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
new file mode 100644
index 00000000..786a51e2
--- /dev/null
+++ b/policy/modules/apps/wine.fc
@@ -0,0 +1,24 @@
+HOME_DIR/\.wine(/.*)? gen_context(system_u:object_r:wine_home_t,s0)
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
new file mode 100644
index 00000000..2dba6216
--- /dev/null
+++ b/policy/modules/apps/wine.if
@@ -0,0 +1,166 @@
+## <summary>Run Windows programs in Linux.</summary>
+
+########################################
+## <summary>
+## Role access for wine.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`wine_role',`
+ gen_require(`
+ attribute_role wine_roles;
+ type wine_exec_t, wine_t, wine_tmp_t;
+ type wine_home_t;
+ ')
+
+ roleattribute $1 wine_roles;
+
+ domtrans_pattern($2, wine_exec_t, wine_t)
+
+ allow wine_t $2:unix_stream_socket connectto;
+ allow wine_t $2:process signull;
+
+ ps_process_pattern($2, wine_t)
+ allow $2 wine_t:process { ptrace signal_perms };
+
+ allow $2 wine_t:fd use;
+ allow $2 wine_t:shm { associate getattr };
+ allow $2 wine_t:shm rw_shm_perms;
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
+')
+
+#######################################
+## <summary>
+## The role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ userdom_user_application_domain($1_wine_t, wine_exec_t)
+ role $2 types $1_wine_t;
+
+ allow $1_wine_t self:process { execmem execstack };
+
+ allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
+ ps_process_pattern($3, $1_wine_t)
+
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
+
+ corecmd_bin_domtrans($1_wine_t, $3)
+
+ userdom_manage_user_tmpfs_files($1_wine_t)
+
+ domain_mmap_low($1_wine_t)
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ optional_policy(`
+ xserver_role($1_r, $1_wine_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`wine_domtrans',`
+ gen_require(`
+ type wine_t, wine_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wine_exec_t, wine_t)
+')
+
+########################################
+## <summary>
+## Execute wine in the wine domain,
+## and allow the specified role
+## the wine domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_run',`
+ gen_require(`
+ attribute_role wine_roles;
+ ')
+
+ wine_domtrans($1)
+ roleattribute $2 wine_roles;
+')
+
+########################################
+## <summary>
+## Read and write wine Shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
new file mode 100644
index 00000000..8ec8c969
--- /dev/null
+++ b/policy/modules/apps/wine.te
@@ -0,0 +1,84 @@
+policy_module(wine, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether attempts by
+## wine to mmap low regions should
+## be silently blocked.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
+attribute_role wine_roles;
+roleattribute system_r wine_roles;
+
+type wine_t;
+type wine_exec_t;
+userdom_user_application_domain(wine_t, wine_exec_t)
+role wine_roles types wine_t;
+
+type wine_home_t;
+userdom_user_home_content(wine_home_t)
+
+type wine_tmp_t;
+userdom_user_tmp_file(wine_tmp_t)
+
+optional_policy(`
+ wm_application_domain(wine_t, wine_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow wine_t self:process { execstack execmem execheap };
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+
+domain_mmap_low(wine_t)
+
+files_execmod_all_files(wine_t)
+
+userdom_use_user_terminals(wine_t)
+
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+ dbus_system_bus_client(wine_t)
+
+ optional_policy(`
+ hal_dbus_chat(wine_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(wine_t)
+ ')
+')
+
+optional_policy(`
+ rtkit_scheduled(wine_t)
+')
+
+optional_policy(`
+ unconfined_domain(wine_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(wine_t)
+ xserver_rw_shm(wine_t)
+')
diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc
new file mode 100644
index 00000000..7b07a705
--- /dev/null
+++ b/policy/modules/apps/wireshark.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0)
+
+/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
new file mode 100644
index 00000000..9cad4afe
--- /dev/null
+++ b/policy/modules/apps/wireshark.if
@@ -0,0 +1,57 @@
+## <summary>Wireshark packet capture tool.</summary>
+
+############################################################
+## <summary>
+## Role access for wireshark.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`wireshark_role',`
+ gen_require(`
+ attribute_role wireshark_roles;
+ type wireshark_t, wireshark_exec_t, wireshark_home_t;
+ type wireshark_tmp_t, wireshark_tmpfs_t;
+ ')
+
+ roleattribute $1 wireshark_roles;
+
+ domtrans_pattern($2, wireshark_exec_t, wireshark_t)
+
+ allow $2 wireshark_t:process { ptrace signal_perms };
+ ps_process_pattern($2, wireshark_t)
+
+ allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark")
+')
+
+########################################
+## <summary>
+## Execute wireshark in wireshark domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`wireshark_domtrans',`
+ gen_require(`
+ type wireshark_t, wireshark_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wireshark_exec_t, wireshark_t)
+')
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
new file mode 100644
index 00000000..1f2641f4
--- /dev/null
+++ b/policy/modules/apps/wireshark.te
@@ -0,0 +1,133 @@
+policy_module(wireshark, 2.6.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role wireshark_roles;
+
+type wireshark_t;
+type wireshark_exec_t;
+typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
+typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
+userdom_user_application_domain(wireshark_t, wireshark_exec_t)
+role wireshark_roles types wireshark_t;
+
+type wireshark_home_t;
+typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
+typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+userdom_user_home_content(wireshark_home_t)
+
+type wireshark_tmp_t;
+typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
+typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
+userdom_user_tmp_file(wireshark_tmp_t)
+
+type wireshark_tmpfs_t;
+typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
+typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
+userdom_user_tmpfs_file(wireshark_tmpfs_t)
+
+optional_policy(`
+ wm_application_domain(wireshark_t, wireshark_exec_t)
+')
+
+##############################
+#
+# Local Policy
+#
+
+allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:process { signal getsched };
+allow wireshark_t self:fifo_file rw_fifo_file_perms;
+allow wireshark_t self:shm create_shm_perms;
+allow wireshark_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir, ".wireshark")
+
+manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
+
+manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+can_exec(wireshark_t, wireshark_exec_t)
+
+kernel_read_kernel_sysctls(wireshark_t)
+kernel_read_system_state(wireshark_t)
+kernel_read_sysctl(wireshark_t)
+
+corecmd_exec_bin(wireshark_t)
+
+corenet_all_recvfrom_unlabeled(wireshark_t)
+corenet_all_recvfrom_netlabel(wireshark_t)
+corenet_tcp_sendrecv_generic_if(wireshark_t)
+corenet_udp_sendrecv_generic_if(wireshark_t)
+corenet_raw_sendrecv_generic_if(wireshark_t)
+corenet_tcp_sendrecv_generic_node(wireshark_t)
+corenet_udp_sendrecv_generic_node(wireshark_t)
+corenet_raw_sendrecv_generic_node(wireshark_t)
+corenet_tcp_sendrecv_all_ports(wireshark_t)
+corenet_udp_sendrecv_all_ports(wireshark_t)
+
+corenet_sendrecv_generic_client_packets(wireshark_t)
+corenet_tcp_connect_generic_port(wireshark_t)
+
+dev_read_rand(wireshark_t)
+dev_read_sysfs(wireshark_t)
+dev_read_urand(wireshark_t)
+
+files_map_usr_files(wireshark_t)
+files_read_usr_files(wireshark_t)
+
+fs_getattr_all_fs(wireshark_t)
+fs_list_inotifyfs(wireshark_t)
+fs_search_auto_mountpoints(wireshark_t)
+
+auth_use_nsswitch(wireshark_t)
+
+libs_read_lib_files(wireshark_t)
+
+miscfiles_read_fonts(wireshark_t)
+miscfiles_read_localization(wireshark_t)
+
+userdom_use_user_terminals(wireshark_t)
+
+userdom_user_content_access_template(wireshark, wireshark_t)
+
+xdg_read_downloads(wireshark_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(wireshark_t)
+ fs_manage_nfs_files(wireshark_t)
+ fs_manage_nfs_symlinks(wireshark_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(wireshark_t)
+ fs_manage_cifs_files(wireshark_t)
+ fs_manage_cifs_symlinks(wireshark_t)
+')
+
+optional_policy(`
+ seutil_use_newrole_fds(wireshark_t)
+')
+
+optional_policy(`
+ userhelper_use_fd(wireshark_t)
+ userhelper_sigchld(wireshark_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(wireshark_t)
+')
diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc
new file mode 100644
index 00000000..05129fea
--- /dev/null
+++ b/policy/modules/apps/wm.fc
@@ -0,0 +1,5 @@
+/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/mutter -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
new file mode 100644
index 00000000..260a7b01
--- /dev/null
+++ b/policy/modules/apps/wm.if
@@ -0,0 +1,252 @@
+## <summary>X Window Managers.</summary>
+
+#######################################
+## <summary>
+## The role template for the wm module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for window manager applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`wm_role_template',`
+ gen_require(`
+ attribute wm_domain;
+ type wm_exec_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_wm_t, wm_domain;
+ userdom_user_application_domain($1_wm_t, wm_exec_t)
+ role $2 types $1_wm_t;
+
+ ########################################
+ #
+ # Policy
+ #
+
+ allow $3 $1_wm_t:fd use;
+
+ allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+
+ allow $3 $1_wm_t:process { ptrace signal_perms };
+ ps_process_pattern($3, $1_wm_t)
+
+ allow $1_wm_t $3:process { signull sigkill };
+
+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+ corecmd_bin_domtrans($1_wm_t, $3)
+ corecmd_shell_domtrans($1_wm_t, $3)
+
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+ mls_xwin_read_all_levels($1_wm_t)
+ mls_xwin_write_all_levels($1_wm_t)
+ mls_fd_use_all_levels($1_wm_t)
+
+ auth_use_nsswitch($1_wm_t)
+
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+
+ wm_write_pipes($1, $3)
+
+ optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
+ dbus_spec_session_bus_client($1, $1_wm_t)
+ dbus_system_bus_client($1_wm_t)
+
+ optional_policy(`
+ wm_dbus_chat($1, $3)
+ ')
+ ')
+
+ optional_policy(`
+ gnome_stream_connect_all_gkeyringd($1_wm_t)
+ ')
+
+ optional_policy(`
+ policykit_run_auth($1_wm_t, $2)
+ policykit_signal_auth($1_wm_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_run($1_wm_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute wm in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wm_exec',`
+ gen_require(`
+ type wm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, wm_exec_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## specified wm over dbus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wm_dbus_chat',`
+ gen_require(`
+ type $1_wm_t;
+ class dbus send_msg;
+ ')
+
+ allow $2 $1_wm_t:dbus send_msg;
+ allow $1_wm_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Create a domain for applications
+## that are launched by the window
+## manager.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for applications that are launched by the
+## window manager (implying a domain transition). Typically
+## these are graphical applications that are run interactively.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## </desc>
+## <param name="target_domain">
+## <summary>
+## Type to be used in the domain transition as the application
+## domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="source_domain">
+## <summary>
+## Type to be used as the source window manager domain.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`wm_application_domain',`
+ gen_require(`
+ attribute wm_domain;
+ ')
+
+ userdom_user_application_domain($1, $2)
+ domtrans_pattern(wm_domain, $2, $1)
+')
+
+########################################
+## <summary>
+## Write wm unnamed pipes.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wm_write_pipes',`
+ gen_require(`
+ type $1_wm_t;
+ ')
+
+ allow $2 $1_wm_t:fifo_file write;
+')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
new file mode 100644
index 00000000..4b7e88ad
--- /dev/null
+++ b/policy/modules/apps/wm.te
@@ -0,0 +1,152 @@
+policy_module(wm, 1.8.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute wm_domain;
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)
+
+type wm_tmp_t;
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(wm_tmpfs_t)
+')
+
+########################################
+#
+# Common wm domain local policy
+#
+
+allow wm_domain self:fifo_file rw_fifo_file_perms;
+allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
+allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+allow wm_domain self:shm create_shm_perms;
+allow wm_domain self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
+kernel_read_system_state(wm_domain)
+
+corecmd_getattr_all_executables(wm_domain)
+
+dev_read_rand(wm_domain)
+dev_read_sound(wm_domain)
+dev_read_sysfs(wm_domain)
+dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
+dev_rw_wireless(wm_domain)
+dev_write_sound(wm_domain)
+
+files_read_etc_runtime_files(wm_domain)
+files_map_usr_files(wm_domain)
+files_read_usr_files(wm_domain)
+
+fs_getattr_all_fs(wm_domain)
+
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
+locallogin_dontaudit_use_fds(wm_domain)
+
+miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
+miscfiles_read_localization(wm_domain)
+
+selinux_get_enforce_mode(wm_domain)
+
+seutil_read_config(wm_domain)
+
+udev_read_pid_files(wm_domain)
+
+# the following is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
+userdom_manage_user_tmp_sockets(wm_domain)
+userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
+
+# to print error messages
+userdom_use_inherited_user_terminals(wm_domain)
+
+userdom_manage_user_home_content_dirs(wm_domain)
+userdom_manage_user_home_content_files(wm_domain)
+
+userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
+optional_policy(`
+ accountsd_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ bluetooth_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_power(wm_domain)
+')
+
+optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ games_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ # gnome-shell
+ mount_exec(wm_domain)
+')
+
+optional_policy(`
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(wm_domain)
+ networkmanager_read_etc_files(wm_domain)
+')
+
+optional_policy(`
+ policykit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ telepathy_mission_control_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ userhelper_exec_consolehelper(wm_domain)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(wm_domain)
+ xserver_rw_xsession_log(wm_domain)
+')
diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc
new file mode 100644
index 00000000..70b71a5c
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.xscreensaver -- gen_context(system_u:object_r:xscreensaver_config_t,s0)
+
+/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
+/usr/bin/xscreensaver-getimage.* -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+/usr/bin/xscreensaver-gl-helper -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
+
+/usr/libexec/xscreensaver(/.*)? -- gen_context(system_u:object_r:xscreensaver_helper_exec_t,s0)
diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if
new file mode 100644
index 00000000..704c3bdd
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.if
@@ -0,0 +1,41 @@
+## <summary>Modular screen saver and locker for X11.</summary>
+
+########################################
+## <summary>
+## Role access for xscreensaver.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`xscreensaver_role',`
+ gen_require(`
+ attribute_role xscreensaver_roles;
+ attribute_role xscreensaver_helper_roles;
+ type xscreensaver_t, xscreensaver_exec_t;
+ type xscreensaver_helper_t;
+ type xscreensaver_config_t, xscreensaver_tmpfs_t;
+ ')
+
+ roleattribute $1 xscreensaver_roles;
+ roleattribute $1 xscreensaver_helper_roles;
+
+ domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
+
+ allow $2 xscreensaver_t:process { ptrace signal_perms };
+ ps_process_pattern($2, xscreensaver_t)
+
+ allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms };
+
+ allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms };
+
+ allow xscreensaver_helper_t $2:fd use;
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
new file mode 100644
index 00000000..4e67161c
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.te
@@ -0,0 +1,115 @@
+policy_module(xscreensaver, 1.3.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Grant the xscreensaver domains read access to generic user content
+## </p>
+## </desc>
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
+attribute_role xscreensaver_roles;
+attribute_role xscreensaver_helper_roles;
+
+type xscreensaver_t;
+type xscreensaver_exec_t;
+userdom_user_application_domain(xscreensaver_t, xscreensaver_exec_t)
+role xscreensaver_roles types xscreensaver_t;
+
+type xscreensaver_helper_t;
+type xscreensaver_helper_exec_t;
+userdom_user_application_domain(xscreensaver_helper_t, xscreensaver_helper_exec_t)
+role xscreensaver_helper_roles types xscreensaver_helper_t;
+
+type xscreensaver_config_t;
+userdom_user_home_content(xscreensaver_config_t)
+
+type xscreensaver_tmpfs_t;
+userdom_user_tmpfs_file(xscreensaver_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xscreensaver_t self:capability { setgid setuid };
+allow xscreensaver_t self:process { setsched signal sigstop };
+allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+
+allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop };
+
+allow xscreensaver_t xscreensaver_config_t:file manage_file_perms;
+
+kernel_read_system_state(xscreensaver_t)
+
+files_read_usr_files(xscreensaver_t)
+
+fs_dontaudit_getattr_xattr_fs(xscreensaver_t)
+
+auth_use_nsswitch(xscreensaver_t)
+auth_domtrans_chk_passwd(xscreensaver_t)
+
+domtrans_pattern(xscreensaver_t, xscreensaver_helper_exec_t, xscreensaver_helper_t)
+
+init_read_utmp(xscreensaver_t)
+
+logging_send_audit_msgs(xscreensaver_t)
+logging_send_syslog_msg(xscreensaver_t)
+
+miscfiles_read_localization(xscreensaver_t)
+
+userdom_use_user_terminals(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
+
+xserver_rw_xsession_log(xscreensaver_t)
+xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+
+tunable_policy(`xscreensaver_read_generic_user_content',`
+ userdom_list_user_tmp(xscreensaver_t)
+ userdom_list_user_home_content(xscreensaver_t)
+ userdom_read_user_home_content_files(xscreensaver_t)
+ userdom_read_user_home_content_symlinks(xscreensaver_t)
+ userdom_read_user_tmp_files(xscreensaver_t)
+',`
+ files_dontaudit_list_home(xscreensaver_t)
+ files_dontaudit_list_tmp(xscreensaver_t)
+
+ userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+ userdom_dontaudit_list_user_tmp(xscreensaver_t)
+ userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+ userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
+########################################
+#
+# Helper local policy
+#
+
+allow xscreensaver_helper_t self:process { execmem signal };
+allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms;
+
+allow xscreensaver_helper_t xscreensaver_config_t:file manage_file_perms;
+
+dev_read_sysfs(xscreensaver_helper_t)
+
+kernel_read_system_state(xscreensaver_helper_t)
+
+files_dontaudit_search_home(xscreensaver_helper_t)
+
+# /etc/drirc
+files_read_etc_files(xscreensaver_helper_t)
+
+files_read_usr_files(xscreensaver_helper_t)
+
+fs_dontaudit_getattr_xattr_fs(xscreensaver_helper_t)
+
+miscfiles_read_fonts(xscreensaver_helper_t)
+miscfiles_read_localization(xscreensaver_helper_t)
+
+xserver_rw_xsession_log(xscreensaver_helper_t)
+xserver_stream_connect(xscreensaver_helper_t)
diff --git a/policy/modules/apps/yam.fc b/policy/modules/apps/yam.fc
new file mode 100644
index 00000000..74401d54
--- /dev/null
+++ b/policy/modules/apps/yam.fc
@@ -0,0 +1,6 @@
+/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0)
+
+/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0)
+
+/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
+/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
new file mode 100644
index 00000000..ba7c8c88
--- /dev/null
+++ b/policy/modules/apps/yam.if
@@ -0,0 +1,66 @@
+## <summary>Yum/Apt Mirroring.</summary>
+
+########################################
+## <summary>
+## Execute yam in the yam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`yam_domtrans',`
+ gen_require(`
+ type yam_t, yam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, yam_exec_t, yam_t)
+')
+
+########################################
+## <summary>
+## Execute yam in the yam domain, and
+## allow the specified role the yam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`yam_run',`
+ gen_require(`
+ attribute_role yam_roles;
+ ')
+
+ yam_domtrans($1)
+ roleattribute $2 yam_roles;
+')
+
+########################################
+## <summary>
+## Read yam content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`yam_read_content',`
+ gen_require(`
+ type yam_content_t;
+ ')
+
+ allow $1 yam_content_t:dir list_dir_perms;
+ read_files_pattern($1, yam_content_t, yam_content_t)
+ read_lnk_files_pattern($1, yam_content_t, yam_content_t)
+')
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
new file mode 100644
index 00000000..b451e6e8
--- /dev/null
+++ b/policy/modules/apps/yam.te
@@ -0,0 +1,96 @@
+policy_module(yam, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role yam_roles;
+
+type yam_t alias yam_crond_t;
+type yam_exec_t;
+application_domain(yam_t, yam_exec_t)
+role yam_roles types yam_t;
+
+type yam_content_t;
+files_mountpoint(yam_content_t)
+
+type yam_etc_t;
+files_config_file(yam_etc_t)
+
+type yam_tmp_t;
+files_tmp_file(yam_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow yam_t self:capability { chown dac_override fowner fsetid };
+allow yam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
+allow yam_t self:fd use;
+allow yam_t self:fifo_file rw_fifo_file_perms;
+allow yam_t self:unix_stream_socket { accept connectto listen };
+allow yam_t self:unix_dgram_socket sendto;
+
+manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
+manage_files_pattern(yam_t, yam_content_t, yam_content_t)
+manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
+
+allow yam_t yam_etc_t:file read_file_perms;
+
+manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
+
+kernel_read_system_state(yam_t)
+
+corecmd_exec_bin(yam_t)
+corecmd_exec_shell(yam_t)
+
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
+corenet_tcp_sendrecv_generic_if(yam_t)
+corenet_tcp_sendrecv_generic_node(yam_t)
+
+corenet_sendrecv_http_client_packets(yam_t)
+corenet_tcp_connect_http_port(yam_t)
+corenet_tcp_sendrecv_http_port(yam_t)
+
+corenet_sendrecv_rsync_client_packets(yam_t)
+corenet_tcp_connect_rsync_port(yam_t)
+corenet_tcp_sendrecv_rsync_port(yam_t)
+
+dev_read_urand(yam_t)
+
+files_read_etc_runtime_files(yam_t)
+files_exec_usr_files(yam_t)
+
+fs_search_auto_mountpoints(yam_t)
+fs_read_iso9660_files(yam_t)
+
+auth_use_nsswitch(yam_t)
+
+logging_send_syslog_msg(yam_t)
+
+miscfiles_read_localization(yam_t)
+
+seutil_read_config(yam_t)
+
+userdom_use_user_terminals(yam_t)
+userdom_use_unpriv_users_fds(yam_t)
+userdom_search_user_home_dirs(yam_t)
+
+apache_search_sys_content(yam_t)
+
+optional_policy(`
+ cron_system_entry(yam_t, yam_exec_t)
+')
+
+optional_policy(`
+ mount_domtrans(yam_t)
+')
+
+optional_policy(`
+ rsync_exec(yam_t)
+')