From 3cda61f9a576315e9889821faf495663ad8257ef Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 29 Nov 2023 10:38:48 +0100 Subject: [PATCH 1/3] Add option to generate custom policy for a confined user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Udica can now generate cil policy for a confined user using a list of macros. The macros are based on policy templates created by Patrik Končitý: https://github.com/Koncpa/confined-users-policy Signed-off-by: Vit Mojzis --- README.md | 50 + setup.py | 1 + udica/__main__.py | 342 +- udica/confined_user.py | 134 + udica/macros/confined_user_macros.cil | 4367 +++++++++++++++++++++++++ 5 files changed, 4779 insertions(+), 115 deletions(-) create mode 100644 udica/confined_user.py create mode 100644 udica/macros/confined_user_macros.cil diff --git a/README.md b/README.md index b37b885..37f68b1 100644 --- a/README.md +++ b/README.md @@ -170,6 +170,56 @@ SELinux now allows binding to tcp/udp port *21*, but not to *80*: Ncat: SHA-1 fingerprint: 6EEC 102E 6666 5F96 CC4F E5FA A1BE 4A5E 6C76 B6DC Ncat: bind to :::80: Permission denied. QUITTING. +## Creating SELinux policy for confined user + +Each Linux user on an SELinux-enabled system is mapped to an SELinux user. By default administrators can choose between the following SELinux users when confining a user account: root, staff_u, sysadm_u, user_u, xguest_u, guest_u (and unconfined_u which does not limit the user's actions). + +To give administrators more options in confining users, *udica* now provides a way to generate a custom SELinux user (and corresponding roles and types) based on the specified parameters. The new user policy is assembled using a set of predefined policy macros based on use-cases (managing network, administrative tasks, etc.). + +To generate a confined user, use the "confined_user" keyword followed by a list of options: + +| Option | Use case | +| ------------- | ------------- | +| -a, --admin_commands | Use administrative commands (vipw, passwd, ...) | +| -g, --graphical_login | Use graphical login environment | +| -m, --mozilla_usage | Use mozilla firefox | +| -n, --networking | Manage basic networking (ip, ifconfig, traceroute, tcpdump, ...) | +| -d, --security_advanced | Manage SELinux settings (semanage, semodule, sepolicy, ...) | +| -i, --security_basic | Use read-only security-related tools (seinfo, getsebool, sesearch, ...) | +| -s, --sudo | Run commands as root using sudo | +| -l, --user_login | Basic rules common to all users (tty, pty, ...) | +| -c, --ssh_connect | Connect over SSH | +| -b, --basic_commands | Use basic commands (date, ls, ps, man, systemctl -user, journalctl -user, passwd, ...) | + +The new user also needs to be assigned an MLS/MCS level and range. These are set to `s0` and `s0:c0.c1023` respectively by default to work well in *targeted* policy mode. +For more details see [Red Hat Multi-Level Security documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/using_selinux/index#using-multi-level-security-mls_using-selinux). + +``` +$ udica confined_user -abcdgilmns --level s0 --range "s0:c0" custom_user + +Created custom_user.cil +Run the following commands to apply the new policy: +Install the new policy module +# semodule -i custom_user.cil /usr/share/udica/macros/confined_user_macros.cil +Create a default context file for the new user +# sed -e ’s|user|custom_user|g’ /etc/selinux/targeted/contexts/users/user_u > /etc/selinux/targeted/contexts/users/custom_user_u +Map the new selinux user to an existing user account +# semanage login -a -s custom_user_u custom_user +Fix labels in the user's home directory +# restorecon -RvF /home/custom_user +``` + +As prompted by *udica*, the new user policy needs to be installed into the system along with the *confined_user_macros* file and a *default context* file needs to be created before the policy is ready to be used. + +Last step is either assignment to an existing linux user (using `semanage login`), or specifying the new SELinux user when creating a new linux user account (no need to run `restorecon` for a new user home directory). +``` +useradd -Z custom_user_u +``` + +The created policy defines a new SELinux user `_u`, a corresponding role `_r` and a list of types (varies based on selected options) `_t, _sudo_t, _ssh_agent_t, ...` + +See [Red Hat Confined User documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/managing-confined-and-unconfined-users_using-selinux#doc-wrapper) for more details about confined users, their assignment, available roles and access they allow. + ## SELinux labels vs. objects they represent Policies generated by *udica* work with **SELinux labels** as opposed to filesystem paths, port numbers etc. This means that allowing access to given path (e.g. path to a directory mounted to your container), port number, or any other resource may also allow access to other resources you didn't specify, since the same SELinux label can be assigned to multiple resources. diff --git a/setup.py b/setup.py index deb6457..d3f20f4 100644 --- a/setup.py +++ b/setup.py @@ -37,6 +37,7 @@ data_files=[ ("/usr/share/licenses/udica", ["LICENSE"]), ("/usr/share/udica/ansible", ["udica/ansible/deploy-module.yml"]), + ("/usr/share/udica/macros", ["udica/macros/confined_user_macros.cil"]), ], # scripts=["bin/udica"], entry_points={"console_scripts": ["udica=udica.__main__:main"]}, diff --git a/udica/__main__.py b/udica/__main__.py index 43d2e43..1ba8515 100644 --- a/udica/__main__.py +++ b/udica/__main__.py @@ -13,8 +13,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -import subprocess import argparse +import subprocess +import sys # import udica from udica.parse import parse_avc_file @@ -25,116 +26,224 @@ def get_args(): - parser = argparse.ArgumentParser( - description="Script generates SELinux policy for running container." - ) - parser.add_argument("-V", "--version", action="version", version=version) - parser.add_argument( - type=str, help="Name for SELinux policy module", dest="ContainerName" - ) - parser.add_argument( - "-i", - "--container-id", - type=str, - help="Running container ID", - dest="ContainerID", - default=None, - ) - parser.add_argument( - "-j", - "--json", - help='Load json from this file, use "-j -" for stdin', - required=False, - dest="JsonFile", - default=None, - ) - parser.add_argument( - "--full-network-access", - help="Allow container full Network access ", - required=False, - dest="FullNetworkAccess", - action="store_true", - ) - parser.add_argument( - "--tty-access", - help="Allow container to read and write the controlling terminal ", - required=False, - dest="TtyAccess", - action="store_true", - ) - parser.add_argument( - "--X-access", - help="Allow container to communicate with Xserver ", - required=False, - dest="XAccess", - action="store_true", - ) - parser.add_argument( - "--virt-access", - help="Allow container to communicate with libvirt ", - required=False, - dest="VirtAccess", - action="store_true", - ) - parser.add_argument( - "-s", - "--stream-connect", - help="Allow container to stream connect with given SELinux domain ", - required=False, - dest="StreamConnect", - ) - parser.add_argument( - "-l", - "--load-modules", - help="Load templates and module created by this tool ", - required=False, - dest="LoadModules", - action="store_true", - ) - parser.add_argument( - "-c", - "--caps", - help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', - required=False, - dest="Caps", - default=None, - ) - parser.add_argument( - "--devices", - type=str, - help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', - dest="Devices", - required=False, - default=None, - ) - parser.add_argument( - "-d", - "--ansible", - help="Generate ansible playbook to deploy SELinux policy for containers ", - required=False, - dest="Ansible", - action="store_true", - ) - parser.add_argument( - "-a", - "--append-rules", - type=str, - help="Append more SELinux allow rules from file", - dest="FileAVCS", - required=False, - default=None, - ) - parser.add_argument( - "-e", - "--container-engine", - type=str, - help="Specify which container engine is used for the inspected container (supports: {})".format( - ", ".join(ENGINE_ALL) - ), - dest="ContainerEngine", - required=False, - default="-", - ) + if "confined_user" in sys.argv: + # set up confined_user parser (do not show normal "udica" options) + parser = argparse.ArgumentParser( + description="SELinux confined user policy generator" + ) + parser.add_argument("confined_user") + parser.add_argument( + "-a", + "--admin_commands", + action="store_true", + default=False, + dest="admin_commands", + help="Use administrative commands (vipw, passwd, ...)", + ) + parser.add_argument( + "-g", + "--graphical_login", + action="store_true", + default=False, + dest="graphical_login", + help="Use graphical login environment", + ) + parser.add_argument( + "-m", + "--mozilla_usage", + action="store_true", + default=False, + dest="mozilla_usage", + help="Use mozilla firefox", + ) + parser.add_argument( + "-n", + "--networking", + action="store_true", + default=False, + dest="networking", + help="Manage basic networking (ip, ifconfig, traceroute, tcpdump, ...)", + ) + parser.add_argument( + "-d", + "--security_advanced", + action="store_true", + default=False, + dest="security_advanced", + help="Manage SELinux settings (semanage, semodule, sepolicy, ...)", + ) + parser.add_argument( + "-i", + "--security_basic", + action="store_true", + default=False, + dest="security_basic", + help="Use read-only security-related tools (seinfo, getsebool, sesearch, ...)", + ) + parser.add_argument( + "-s", + "--sudo", + action="store_true", + default=False, + dest="sudo", + help="Run commands as root using sudo", + ) + parser.add_argument( + "-l", + "--user_login", + action="store_true", + default=False, + dest="user_login", + help="Basic rules common to all users (tty, pty, ...)", + ) + parser.add_argument( + "-c", + "--ssh_connect", + action="store_true", + default=False, + dest="ssh_connect", + help="Connect over SSH", + ) + parser.add_argument( + "-b", + "--basic_commands", + action="store_true", + default=False, + dest="basic_commands", + help="Use basic commands (date, ls, ps, man, systemctl -user, journalctl -user, passwd, ...)", + ) + parser.add_argument( + "--level", + nargs="?", + default="s0", + dest="level", + help='MLS/MCS level, defaults to "s0"', + ) + parser.add_argument( + "--range", + nargs="?", + default="s0-s0:c0.c1023", + dest="range", + help='MLS/MCS range, defaults to "s0-s0:c0.c1023"', + ) + parser.add_argument("uname") + else: + # set up normal udica parser + parser = argparse.ArgumentParser( + description="Script generates SELinux policy for running container.", + prog="udica [confined_user]", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog="""Additional options: + confined_user Generate policy for a new confined user instead of a container policy""", + ) + parser.add_argument("-V", "--version", action="version", version=version) + parser.add_argument( + type=str, help="Name for SELinux policy module", dest="ContainerName" + ) + parser.add_argument( + "-i", + "--container-id", + type=str, + help="Running container ID", + dest="ContainerID", + default=None, + ) + parser.add_argument( + "-j", + "--json", + help='Load json from this file, use "-j -" for stdin', + required=False, + dest="JsonFile", + default=None, + ) + parser.add_argument( + "--full-network-access", + help="Allow container full Network access ", + required=False, + dest="FullNetworkAccess", + action="store_true", + ) + parser.add_argument( + "--tty-access", + help="Allow container to read and write the controlling terminal ", + required=False, + dest="TtyAccess", + action="store_true", + ) + parser.add_argument( + "--X-access", + help="Allow container to communicate with Xserver ", + required=False, + dest="XAccess", + action="store_true", + ) + parser.add_argument( + "--virt-access", + help="Allow container to communicate with libvirt ", + required=False, + dest="VirtAccess", + action="store_true", + ) + parser.add_argument( + "-s", + "--stream-connect", + help="Allow container to stream connect with given SELinux domain ", + required=False, + dest="StreamConnect", + ) + parser.add_argument( + "-l", + "--load-modules", + help="Load templates and module created by this tool ", + required=False, + dest="LoadModules", + action="store_true", + ) + parser.add_argument( + "-c", + "--caps", + help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', + required=False, + dest="Caps", + default=None, + ) + parser.add_argument( + "--devices", + type=str, + help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', + dest="Devices", + required=False, + default=None, + ) + parser.add_argument( + "-d", + "--ansible", + help="Generate ansible playbook to deploy SELinux policy for containers ", + required=False, + dest="Ansible", + action="store_true", + ) + parser.add_argument( + "-a", + "--append-rules", + type=str, + help="Append more SELinux allow rules from file", + dest="FileAVCS", + required=False, + default=None, + ) + parser.add_argument( + "-e", + "--container-engine", + type=str, + help="Specify which container engine is used for the inspected container (supports: {})".format( + ", ".join(ENGINE_ALL) + ), + dest="ContainerEngine", + required=False, + default="-", + ) + args = parser.parse_args() return vars(args) @@ -142,6 +251,13 @@ def get_args(): def main(): opts = get_args() + # generate confined user policy + if "confined_user" in opts.keys(): + from udica.confined_user import create_confined_user_policy + + create_confined_user_policy(opts) + return + if opts["ContainerID"]: container_inspect_raw = None for backend in [ENGINE_PODMAN, ENGINE_DOCKER]: @@ -167,8 +283,6 @@ def main(): if opts["JsonFile"]: if opts["JsonFile"] == "-": - import sys - container_inspect_raw = sys.stdin.read() else: import os.path @@ -182,8 +296,6 @@ def main(): if (not opts["JsonFile"]) and (not opts["ContainerID"]): try: - import sys - container_inspect_raw = sys.stdin.read() except Exception as e: print("Couldn't parse inspect data from stdin:", e) diff --git a/udica/confined_user.py b/udica/confined_user.py new file mode 100644 index 0000000..bd92378 --- /dev/null +++ b/udica/confined_user.py @@ -0,0 +1,134 @@ +# Copyright (C) 2023 Vit Mojzis, +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +MACRO_CALLS = { + "admin_commands": ( + "(call confinedom_admin_commands_macro ({}))", + ("_t", "_r", "_sudo_t"), + ), + "graphical_login": ( + "(call confinedom_graphical_login_macro ({}))", + ("_t", "_r", "_dbus_t"), + ), + "mozilla_usage": ("(call confinedom_mozilla_usage_macro ({}))", ("_t", "_r")), + "networking": ("(call confinedom_networking_macro ({}))", ("_t", "_r")), + "security_advanced": ( + "(call confinedom_security_advanced_macro ({}))", + ("_t", "_r", "_sudo_t", "_userhelper_t"), + ), + "security_basic": ("(call confinedom_security_basic_macro ({}))", ("_t", "_r")), + "sudo": ( + "(call confinedom_sudo_macro ({}))", + ("_t", "_r", "_sudo_t", "_sudo_tmp_t"), + ), + "user_login": ( + "(call confinedom_user_login_macro ({}))", + ("_t", "_r", "_gkeyringd_t", "_dbus_t", "_exec_content"), + ), + "ssh_connect": ( + "(call confined_ssh_connect_macro ({}))", + ("_t", "_r", "_ssh_agent_t"), + ), + "basic_commands": ("(call confined_use_basic_commands_macro ({}))", ("_t", "_r")), +} + +TYPE_DEFS = { + "_t": "(type {}_t)", + "_r": "(role {}_r)", + "_dbus_t": "(type {}_dbus_t)", + "_gkeyringd_t": "(type {}_gkeyringd_t)", + "_ssh_agent_t": "(type {}_ssh_agent_t)", + "_sudo_t": "(type {}_sudo_t)", + "_sudo_tmp_t": "(type {}_sudo_tmp_t)", + "_userhelper_t": "(type {}_userhelper_t)", + "_exec_content": "(boolean {}_exec_content true)", +} + + +def create_confined_user_policy(opts): + # MCS/MLS range handling - needs to be separated into up-to 4 parts + # s0-s15:c0.c1023 -> (userrange {uname}_u ((s0 ) (s15 (range c0 c1023)))) + # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0)))) + mls_range = opts["range"] + mcs_range = "" + # separate MCS portion + if ":" in opts["range"]: + # s0:c0.c1023 + (mls_range, mcs_range) = opts["range"].split(":") + if "-" in mls_range: + # s0-s15 + (range_l, range_h) = mls_range.split("-") + else: + # s0 + range_l = mls_range + range_h = range_l + if mcs_range != "": + if "." in mcs_range: + # s0:c0.c1023 -> (userrange {uname}_u ((s0 ) (s0 (range c0 c1023)))) + (mcs_range_l, mcs_range_h) = mcs_range.split(".") + mcs_range = "(range {} {})".format(mcs_range_l, mcs_range_h) + else: + # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0)))) + mcs_range = "({})".format(mcs_range) + + range = "({} ) ({} {})".format(range_l, range_h, mcs_range) + + defs = set() + + policy = """ +(user {uname}_u) +(userrole {uname}_u {uname}_r) +(userlevel {uname}_u ({level})) +(userrange {uname}_u ({range})) +""".format( + uname=opts["uname"], level=opts["level"], range=range + ) + + # process arguments determining which macros are to be used + for arg, value in opts.items(): + if not value or arg not in MACRO_CALLS.keys(): + continue + for param in MACRO_CALLS[arg][1]: + defs.add(TYPE_DEFS[param].format(opts["uname"])) + policy += "\n" + ( + MACRO_CALLS[arg][0].format( + " ".join([opts["uname"] + s for s in MACRO_CALLS[arg][1]]) + ) + ) + # print("{}: {}".format(arg, value)) + + policy = "\n".join(sorted(defs)) + policy + + with open("{}.cil".format(opts["uname"]), "w") as f: + f.write(policy) + + print("Created {}.cil".format(opts["uname"])) + print("Run the following commands to apply the new policy:") + print("Install the new policy module") + print( + "# semodule -i {}.cil /usr/share/udica/macros/confined_user_macros.cil".format( + opts["uname"] + ) + ) + print("Create a default context file for the new user") + print( + "# sed -e ’s|user|{}|g’ /etc/selinux/targeted/contexts/users/user_u > /etc/selinux/targeted/contexts/users/{}_u".format( + opts["uname"], opts["uname"] + ) + ) + print("Map the new selinux user to an existing user account") + print("# semanage login -a -s {}_u {}".format(opts["uname"], opts["uname"])) + print("Fix labels in the user's home directory") + print("# restorecon -RvF /home/{}".format(opts["uname"])) diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil new file mode 100644 index 0000000..ddb5689 --- /dev/null +++ b/udica/macros/confined_user_macros.cil @@ -0,0 +1,4367 @@ +(typeattribute login_confinedom) + +(optional confined_transition_userdomain_optional + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require xdm_t) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset cil_gen_require xsession_exec_t) + (allow xdm_t xsession_exec_t (file (ioctl read getattr map execute open))) + (allow xdm_t login_confinedom (process (transition))) + (allow login_confinedom xdm_t (fd (use))) + (allow login_confinedom xdm_t (fifo_file (ioctl read write getattr lock append open))) + (allow login_confinedom xdm_t (process (sigchld))) +) + +(optional confined_xsession_spec_domtrans_conf_users_optional + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require xdm_t) + (typeattributeset cil_gen_require login_confinedom) + (allow init_t login_confinedom (process (transition))) +) + +(macro confinedom_admin_commands_macro ((type utype) (role urole) (type sudo_type)) + (optional confinedom_admin_commands_optional_2 + (roleattributeset cil_gen_require urole) + (roleattributeset cil_gen_require iptables_roles) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require sudo_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require usbmon_device_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require policy_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require modules_object_t) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require files_unconfined_type) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require init_var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require iptables_t) + (typeattributeset cil_gen_require iptables_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require proc_net_t) + (typeattributeset cil_gen_require auditd_t) + (typeattributeset cil_gen_require auditd_etc_t) + (typeattributeset cil_gen_require auditd_log_t) + (typeattributeset cil_gen_require auditd_var_run_t) + (typeattributeset cil_gen_require auditd_initrc_exec_t) + (typeattributeset cil_gen_require auditd_unit_file_t) + (typeattributeset cil_gen_require auditctl_t) + (typeattributeset cil_gen_require auditctl_exec_t) + (typeattributeset cil_gen_require initrc_t) + (typeattributeset cil_gen_require initrc_transition_domain) + (typeattributeset cil_gen_require filesystem_type) + (typeattributeset cil_gen_require can_system_change) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (typeattributeset cil_gen_require syslogd_t) + (typeattributeset cil_gen_require klogd_t) + (typeattributeset cil_gen_require syslog_conf_t) + (typeattributeset cil_gen_require syslogd_tmp_t) + (typeattributeset cil_gen_require syslogd_var_lib_t) + (typeattributeset cil_gen_require syslogd_var_run_t) + (typeattributeset cil_gen_require klogd_var_run_t) + (typeattributeset cil_gen_require klogd_tmp_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require syslogd_initrc_exec_t) + (typeattributeset cil_gen_require logfile) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require passwd_t) + (typeattributeset cil_gen_require passwd_exec_t) + (roleattributeset cil_gen_require iptables_roles) + (roleattributeset iptables_roles (urole )) + (roleattributeset cil_gen_require urole) + (roletype urole auditctl_t) + (typeattributeset cil_gen_require initrc_transition_domain) + (typeattributeset initrc_transition_domain (utype )) + (typeattributeset cil_gen_require files_unconfined_type) + (typeattributeset files_unconfined_type (utype )) + (typeattributeset cil_gen_require can_system_change) + (typeattributeset can_system_change (utype )) + (allow utype self (capability (net_raw))) + (allow utype self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (packet_socket (map))) + (allow sudo_type utype (unix_stream_socket (connectto))) + (allow sudo_type self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (capability (net_raw))) + (allow sudo_type self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (packet_socket (map))) + (allow utype domain (process (getattr))) + (allow utype usbmon_device_t (chr_file (map))) + (allow utype device_t (dir (getattr open search))) + (allow utype usbmon_device_t (chr_file (ioctl read getattr lock open))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type policy_config_t (dir (ioctl write getattr lock open add_name search))) + (allow sudo_type policy_config_t (file (create getattr open))) + (allow sudo_type policy_config_t (dir (getattr open search))) + (allow sudo_type policy_config_t (file (ioctl write getattr lock append open))) + (allow sudo_type modules_object_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type modules_object_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type file_type (dir (ioctl read getattr lock open search))) + (allow sudo_type file_type (dir (getattr open search))) + (allow sudo_type file_type (lnk_file (read getattr))) + (allow sudo_type init_var_run_t (dir (ioctl read getattr lock open search))) + (allow sudo_type init_var_run_t (dir (ioctl write getattr lock open add_name search))) + (allow sudo_type init_var_run_t (dir (create getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_lib_t (dir (getattr open search))) + (allow sudo_type init_var_lib_t (dir (getattr open search))) + (allow sudo_type init_var_lib_t (file (ioctl read getattr map open))) + (allow sudo_type init_t (dir (getattr open search))) + (allow sudo_type init_t (file (ioctl read getattr lock open))) + (allow sudo_type init_t (lnk_file (read getattr))) + (allow sudo_type init_var_run_t (sock_file (write))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype iptables_exec_t (file (ioctl read getattr map execute open))) + (allow utype iptables_t (process (transition))) + (typetransition utype iptables_exec_t process iptables_t) + (allow iptables_t utype (fd (use))) + (allow iptables_t utype (fifo_file (ioctl read write getattr lock append))) + (allow iptables_t utype (process (sigchld))) + (allow utype iptables_exec_t (file (map))) + (allow sudo_type proc_t (dir (getattr open search))) + (allow sudo_type proc_net_t (dir (getattr open search))) + (allow sudo_type proc_net_t (file (ioctl read getattr lock open))) + (allow sudo_type proc_t (dir (getattr open search))) + (allow sudo_type proc_net_t (dir (getattr open search))) + (allow sudo_type proc_net_t (lnk_file (read getattr))) + (allow sudo_type proc_t (dir (getattr open search))) + (allow sudo_type proc_net_t (dir (ioctl read getattr lock open search))) + (allow utype auditd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype auditd_t (dir (ioctl read getattr lock open search))) + (allow utype auditd_t (file (ioctl read getattr lock open))) + (allow utype auditd_t (lnk_file (read getattr))) + (allow utype auditd_t (process (getattr))) + (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_etc_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_etc_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_log_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditctl_exec_t (file (ioctl read getattr map execute open))) + (allow utype auditctl_t (process (transition))) + (typetransition utype auditctl_exec_t process auditctl_t) + (allow auditctl_t utype (fd (use))) + (allow auditctl_t utype (fifo_file (ioctl read write getattr lock append))) + (allow auditctl_t utype (process (sigchld))) + (allow utype filesystem_type (dir (getattr open search))) + (allow utype auditd_initrc_exec_t (file (ioctl read getattr map execute open))) + (allow utype initrc_t (process (transition))) + (typetransition utype auditd_initrc_exec_t process initrc_t) + (allow initrc_t utype (fd (use))) + (allow initrc_t utype (fifo_file (ioctl read write getattr lock append))) + (allow initrc_t utype (process (sigchld))) + (allow utype auditd_initrc_exec_t (file (ioctl))) + (allow utype etc_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (allow utype auditd_unit_file_t (file (ioctl read getattr lock open))) + (allow utype auditd_unit_file_t (service (start stop status reload enable disable))) + (allow utype auditd_t (dir (ioctl read getattr lock open search))) + (allow utype auditd_t (file (ioctl read getattr lock open))) + (allow utype auditd_t (lnk_file (read getattr))) + (allow utype auditd_t (process (getattr))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (dir (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (lnk_file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (fifo_file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (sock_file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (service (start stop status reload enable disable))) + (allow utype self (capability2 (syslog))) + (allow utype syslogd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype klogd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype syslogd_t (dir (ioctl read getattr lock open search))) + (allow utype syslogd_t (file (ioctl read getattr lock open))) + (allow utype syslogd_t (lnk_file (read getattr))) + (allow utype syslogd_t (process (getattr))) + (allow utype klogd_t (dir (ioctl read getattr lock open search))) + (allow utype klogd_t (file (ioctl read getattr lock open))) + (allow utype klogd_t (lnk_file (read getattr))) + (allow utype klogd_t (process (getattr))) + (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslog_conf_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslog_conf_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype etc_t file syslog_conf_t) + (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_lib_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_lib_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype var_t (dir (getattr open search))) + (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype logfile (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype logfile (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype logfile (file (map))) + (allow utype logfile (dir (getattr relabelfrom relabelto))) + (allow utype logfile (file (getattr relabelfrom relabelto))) + (allow utype filesystem_type (dir (getattr open search))) + (allow utype syslogd_initrc_exec_t (file (ioctl read getattr map execute open))) + (allow utype initrc_t (process (transition))) + (typetransition utype syslogd_initrc_exec_t process initrc_t) + (allow initrc_t utype (fd (use))) + (allow initrc_t utype (fifo_file (ioctl read write getattr lock append))) + (allow initrc_t utype (process (sigchld))) + (allow utype syslogd_initrc_exec_t (file (ioctl))) + (allow utype etc_t (dir (getattr open search))) + (allow sudo_type home_root_t (dir (ioctl read getattr lock open search))) + (allow sudo_type home_root_t (lnk_file (read getattr))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition sudo_type user_home_dir_t fifo_file user_home_t) + (typetransition sudo_type user_home_dir_t sock_file user_home_t) + (typetransition sudo_type user_home_dir_t lnk_file user_home_t) + (typetransition sudo_type user_home_dir_t dir user_home_t) + (typetransition sudo_type user_home_dir_t file user_home_t) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type passwd_t (process (transition))) + (typetransition sudo_type passwd_exec_t process passwd_t) + (allow passwd_t sudo_type (fd (use))) + (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow passwd_t sudo_type (process (sigchld))) + (roletransition urole syslogd_initrc_exec_t process system_r) + (roletransition urole auditd_initrc_exec_t process system_r) + (roleallow urole system_r) + (roleallow urole system_r) + (booleanif (deny_ptrace) + (false + (allow utype auditd_t (process (ptrace))) + (allow utype klogd_t (process (ptrace))) + (allow utype syslogd_t (process (ptrace))) + ) + ) + (optional confinedom_admin_commands_optional_3 + (typeattributeset cil_gen_require tuned_t) + (allow utype tuned_t (dbus (send_msg))) + (allow tuned_t utype (dbus (send_msg))) + ) + (optional confinedom_admin_commands_optional_4 + (roleattributeset cil_gen_require wireshark_roles) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require wireshark_t) + (typeattributeset cil_gen_require wireshark_exec_t) + (typeattributeset cil_gen_require wireshark_home_t) + (typeattributeset cil_gen_require wireshark_tmp_t) + (typeattributeset cil_gen_require wireshark_tmpfs_t) + (roleattributeset cil_gen_require wireshark_roles) + (roleattributeset wireshark_roles (urole )) + (allow utype wireshark_exec_t (file (ioctl read getattr map execute open))) + (allow utype wireshark_t (process (transition))) + (typetransition utype wireshark_exec_t process wireshark_t) + (allow wireshark_t utype (fd (use))) + (allow wireshark_t utype (fifo_file (ioctl read write getattr lock append))) + (allow wireshark_t utype (process (sigchld))) + (allow utype wireshark_t (process (sigchld sigkill sigstop signull signal ptrace))) + (allow utype wireshark_t (dir (ioctl read getattr lock open search))) + (allow utype wireshark_t (file (ioctl read getattr lock open))) + (allow utype wireshark_t (lnk_file (read getattr))) + (allow utype wireshark_t (process (getattr))) + (allow utype wireshark_home_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype wireshark_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype wireshark_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype wireshark_home_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype wireshark_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype wireshark_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype wireshark_home_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads))) + (allow utype wireshark_tmpfs_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads))) + (allow utype wireshark_tmpfs_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) + (allow utype wireshark_tmpfs_t (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype wireshark_t (shm (getattr read write associate unix_read unix_write lock))) + (typetransition utype user_home_dir_t dir ".wireshark" wireshark_home_t) + ) + ) +) + +(macro confinedom_graphical_login_macro ((type utype) (role urole) (type dbusd_type)) + + (optional confinedom_graphical_login_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require user_tmpfs_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require port_type) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require sound_device_t) + (typeattributeset cil_gen_require event_device_t) + (typeattributeset cil_gen_require v4l_device_t) + (typeattributeset cil_gen_require wireless_device_t) + (typeattributeset cil_gen_require configfile) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require lib_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require usbfs_t) + (typeattributeset cil_gen_require usb_device_t) + (typeattributeset cil_gen_require noxattrfs) + (typeattributeset cil_gen_require dosfs_t) + (typeattributeset cil_gen_require removable_device_t) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require sysctl_t) + (typeattributeset cil_gen_require sysctl_dev_t) + (typeattributeset cil_gen_require fonts_t) + (typeattributeset cil_gen_require locale_t) + (typeattributeset cil_gen_require mount_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require fuse_device_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset cil_gen_require nfs_t) + (typeattributeset cil_gen_require autofs_t) + (typeattributeset cil_gen_require cifs_t) + (typeattributeset cil_gen_require xauth_t) + (typeattributeset cil_gen_require iceauth_t) + (typeattributeset cil_gen_require dridomain) + (typeattributeset cil_gen_require x_userdomain) + (typeattributeset cil_gen_require root_xdrawable_t) + (typeattributeset cil_gen_require xdm_t) + (typeattributeset cil_gen_require xserver_t) + (typeattributeset cil_gen_require xproperty_t) + (typeattributeset cil_gen_require user_xproperty_t) + (typeattributeset cil_gen_require xevent_t) + (typeattributeset cil_gen_require client_xevent_t) + (typeattributeset cil_gen_require input_xevent_t) + (typeattributeset cil_gen_require user_input_xevent_t) + (typeattributeset cil_gen_require x_domain) + (typeattributeset cil_gen_require input_xevent_type) + (typeattributeset cil_gen_require xdrawable_type) + (typeattributeset cil_gen_require xcolormap_type) + (typeattributeset cil_gen_require xdm_var_run_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require userdomain) + (typeattributeset cil_gen_require xdm_log_t) + (typeattributeset cil_gen_require xdmhomewriter) + (roleattributeset cil_gen_require urole) + (roletype urole user_home_dir_t) + (roletype urole user_home_type) + (roletype urole xauth_t) + (roletype urole iceauth_t) + (typeattributeset cil_gen_require xcolormap_type) + (typeattributeset xcolormap_type (utype )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (bin_t usr_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (bin_t usr_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (bin_t usr_t )) + (typeattributeset cil_gen_require xdmhomewriter) + (typeattributeset xdmhomewriter (utype )) + (typeattributeset cil_gen_require xdrawable_type) + (typeattributeset xdrawable_type (utype )) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset userdom_filetrans_type (utype )) + (typeattributeset cil_gen_require x_domain) + (typeattributeset x_domain (utype )) + (typeattributeset cil_gen_require x_userdomain) + (typeattributeset x_userdomain (utype )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (bin_t usr_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (bin_t usr_t )) + (typeattributeset cil_gen_require dridomain) + (typeattributeset dridomain (utype )) + (allow utype bin_t (file (entrypoint))) + (allow utype bin_t (file (ioctl read getattr lock map execute open))) + (allow utype usr_t (file (entrypoint))) + (allow utype usr_t (file (ioctl read getattr lock map execute open))) + (allow utype port_type (tcp_socket (name_connect))) + (allow utype utype (process (getattr setrlimit execmem))) + (allow utype utype (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload undefined))) + (allow utype utype (netlink_kobject_uevent_socket (read))) + (allow utype device_t (dir (getattr open search))) + (allow utype sound_device_t (chr_file (ioctl write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype sound_device_t (chr_file (ioctl read getattr lock open))) + (allow utype sound_device_t (chr_file (map))) + (allow utype device_t (dir (getattr open search))) + (allow utype event_device_t (chr_file (ioctl read write getattr lock append))) + (allow utype device_t (dir (getattr open search))) + (allow utype v4l_device_t (chr_file (ioctl read getattr lock open))) + (allow utype device_t (dir (getattr open search))) + (allow utype v4l_device_t (chr_file (ioctl write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype wireless_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (getattr watch))) + (allow utype configfile (dir (ioctl read getattr lock open search))) + (allow utype configfile (dir (getattr open search))) + (allow utype configfile (file (ioctl read getattr lock open))) + (allow utype configfile (dir (getattr open search))) + (allow utype configfile (lnk_file (read getattr))) + (allow utype etc_t (dir (getattr watch))) + (allow utype home_root_t (dir (getattr watch))) + (allow utype lib_t (dir (getattr watch))) + (allow utype usr_t (dir (getattr watch))) + (allow utype usr_t (file (getattr watch))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr watch))) + (allow utype var_run_t (dir (getattr watch))) + (allow utype tmp_t (dir (getattr watch))) + (allow utype init_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow utype proc_t (dir (getattr open search))) + (allow utype sysctl_t (dir (getattr open search))) + (allow utype sysctl_dev_t (dir (getattr open search))) + (allow utype sysctl_dev_t (file (ioctl read getattr lock open))) + (allow utype proc_t (dir (getattr open search))) + (allow utype sysctl_t (dir (getattr open search))) + (allow utype sysctl_dev_t (dir (ioctl read getattr lock open search))) + (allow utype fonts_t (dir (getattr watch))) + (allow utype locale_t (dir (getattr open search))) + (allow utype locale_t (lnk_file (getattr watch))) + (allow utype mount_t (process (signal))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype default_context_t (dir (ioctl read getattr lock open search))) + (allow utype default_context_t (dir (getattr open search))) + (allow utype default_context_t (file (ioctl read getattr lock open))) + (allow utype fuse_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype user_tmp_t (file (execute))) + (typemember utype user_home_dir_t dir user_home_dir_t) + (allow utype user_home_t (dir (mounton))) + (allow utype user_home_t (file (entrypoint))) + (allow utype user_home_type (file (relabelfrom relabelto))) + (allow utype user_home_type (dir (relabelfrom relabelto))) + (allow utype user_home_type (lnk_file (relabelfrom relabelto))) + (allow utype user_home_type (chr_file (relabelfrom relabelto))) + (allow utype user_home_type (blk_file (relabelfrom relabelto))) + (allow utype user_home_type (sock_file (relabelfrom relabelto))) + (allow utype user_home_type (fifo_file (relabelfrom relabelto))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (dir (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (file (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (lnk_file (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (sock_file (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (fifo_file (getattr relabelfrom relabelto))) + (allow utype home_root_t (dir (ioctl read getattr lock open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (typetransition utype root_xdrawable_t x_drawable utype) + (typetransition utype input_xevent_t x_event user_input_xevent_t) + (allow utype user_input_xevent_t (x_event (send))) + (allow utype user_input_xevent_t (x_synthetic_event (send))) + (allow utype user_input_xevent_t (x_event (receive))) + (allow utype user_input_xevent_t (x_synthetic_event (receive))) + (allow utype client_xevent_t (x_event (receive))) + (allow utype client_xevent_t (x_synthetic_event (receive))) + (allow utype xevent_t (x_event (send receive))) + (allow utype xevent_t (x_synthetic_event (send receive))) + (dontaudit utype input_xevent_type (x_event (send))) + (allow utype xdm_t (x_drawable (read add_child manage hide))) + (allow utype xdm_t (x_client (destroy))) + (allow utype root_xdrawable_t (x_drawable (write))) + (allow utype xserver_t (x_server (manage))) + (allow utype xserver_t (x_screen (saver_setattr saver_hide saver_show show_cursor hide_cursor))) + (allow utype xserver_t (x_pointer (get_property set_property manage))) + (allow utype xserver_t (x_keyboard (read manage freeze))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype xdm_var_run_t (dir (getattr open search))) + (allow utype xdm_var_run_t (sock_file (write getattr append open))) + (allow utype xdm_t (unix_stream_socket (connectto))) + (allow utype user_tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (sock_file (write getattr append open))) + (allow utype userdomain (unix_stream_socket (connectto))) + (allow utype xdm_log_t (file (getattr append))) + (booleanif (use_samba_home_dirs) + (true + (allow utype cifs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype cifs_t (dir (mounton))) + (allow utype cifs_t (filesystem (mount))) + ) + ) + (booleanif (use_nfs_home_dirs) + (true + (allow utype nfs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype nfs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype nfs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype autofs_t (dir (getattr open search))) + (allow utype nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype autofs_t (dir (getattr open search))) + (allow utype nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype autofs_t (dir (getattr open search))) + (allow utype nfs_t (dir (mounton))) + (allow utype nfs_t (filesystem (mount))) + ) + ) + (booleanif (selinuxuser_rw_noexattrfile) + (true + (allow utype removable_device_t (blk_file (ioctl write getattr lock append open))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype removable_device_t (blk_file (ioctl read getattr lock open))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype dosfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype dosfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype noxattrfs (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype noxattrfs (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype noxattrfs (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype usb_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype usbfs_t (lnk_file (read getattr))) + (allow utype usbfs_t (dir (getattr open search))) + (allow utype usbfs_t (file (ioctl read write getattr lock append open))) + (allow utype usbfs_t (dir (getattr open search))) + (allow utype usbfs_t (dir (ioctl read getattr lock open search))) + (allow utype usbfs_t (dir (getattr open search))) + ) + ) + (optional confinedom_graphical_login_optional_3 + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require alsa_var_lib_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype alsa_var_lib_t (dir (getattr open search))) + (allow utype alsa_var_lib_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_graphical_login_optional_4 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require fwupd_cache_t) + (allow utype var_t (dir (getattr open search))) + (allow utype fwupd_cache_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype fwupd_cache_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + ) + (optional confinedom_graphical_login_optional_5 + ;(type dbusd_type) + (roletype object_r dbusd_type) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require system_dbusd_t) + (typeattributeset cil_gen_require session_dbusd_tmp_t) + (typeattributeset cil_gen_require dbusd_unconfined) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset cil_gen_require dbusd_exec_t) + (typeattributeset cil_gen_require dbusd_etc_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require system_dbusd_var_run_t) + (typeattributeset cil_gen_require system_dbusd_var_lib_t) + (typeattributeset cil_gen_require urandom_device_t) + (roleattributeset cil_gen_require urole) + (roletype urole dbusd_type) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (dbusd_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (dbusd_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (dbusd_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (dbusd_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (dbusd_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (dbusd_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (dbusd_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (dbusd_type )) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset session_bus_type (dbusd_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (dbusd_type )) + (allow utype system_dbusd_t (dbus (acquire_svc))) + (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search))) + (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open))) + (allow dbusd_type dbusd_exec_t (file (entrypoint))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type security_t (lnk_file (read getattr))) + (allow dbusd_type sysfs_t (filesystem (getattr))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type security_t (filesystem (getattr))) + (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt))) + (allow dbusd_type utype (unix_dgram_socket (sendto))) + (allow utype dbusd_type (dbus (acquire_svc send_msg))) + (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg))) + (allow utype system_dbusd_t (dbus (acquire_svc send_msg))) + (allow utype dbusd_type (process (noatsecure siginh rlimitinh))) + (allow dbusd_type utype (dbus (send_msg))) + (allow utype dbusd_type (dbus (send_msg))) + (allow dbusd_type utype (system (start reload))) + (allow dbusd_type session_dbusd_tmp_t (service (start stop))) + (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype dbusd_exec_t (file (ioctl read getattr map execute open))) + (allow utype dbusd_type (process (transition))) + ;(typetransition utype dbusd_exec_t process dbusd_type) + (allow dbusd_type utype (fd (use))) + (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append))) + (allow dbusd_type utype (process (sigchld))) + (allow utype dbusd_type (dir (ioctl read getattr lock open search))) + (allow utype dbusd_type (file (ioctl read getattr lock open))) + (allow utype dbusd_type (lnk_file (read getattr))) + (allow utype dbusd_type (process (getattr))) + (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type bin_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (allow dbusd_type usr_t (dir (getattr open search))) + (allow dbusd_type usr_t (lnk_file (read getattr))) + (allow dbusd_type usr_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type bin_t process utype) + (typetransition dbusd_type usr_t process utype) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (dir (ioctl read getattr lock open search))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type shell_exec_t process utype) + (allow dbusd_type utype (process (sigkill))) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open))) + (allow dbusd_type file_type (service (start stop status reload enable disable))) + (dontaudit dbusd_type self (capability (net_admin))) + (allow utype system_dbusd_t (dbus (send_msg))) + (allow utype self (dbus (send_msg))) + (allow system_dbusd_t utype (dbus (send_msg))) + (allow dbusd_unconfined utype (dbus (send_msg))) + (allow utype system_dbusd_var_lib_t (dir (getattr open search))) + (allow utype system_dbusd_var_lib_t (file (ioctl read getattr lock open))) + (allow utype system_dbusd_var_lib_t (dir (getattr open search))) + (allow utype system_dbusd_var_lib_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype system_dbusd_var_run_t (dir (getattr open search))) + (allow utype system_dbusd_var_run_t (sock_file (write getattr append open))) + (allow utype system_dbusd_t (unix_stream_socket (connectto))) + (allow utype dbusd_etc_t (dir (ioctl read getattr lock open search))) + (allow utype dbusd_etc_t (file (ioctl read getattr lock open))) + (allow utype session_dbusd_tmp_t (dir (getattr open search))) + (allow utype session_dbusd_tmp_t (sock_file (write getattr append open))) + (allow utype utype (dbus (send_msg))) + (booleanif (deny_ptrace) + (false + (allow utype dbusd_type (process (ptrace))) + ) + ) + (optional confinedom_graphical_login_optional_6 + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require mozilla_exec_t) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (mozilla_exec_t )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (mozilla_exec_t )) + (allow utype mozilla_exec_t (file (entrypoint))) + (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type mozilla_exec_t process utype) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append))) + (allow utype dbusd_type (process (sigchld))) + ) + (optional confinedom_graphical_login_optional_7 + (typeattributeset cil_gen_require systemd_unit_file_t) + (allow dbusd_type systemd_unit_file_t (service (start))) + ) + (optional confinedom_graphical_login_optional_8 + (typeattributeset cil_gen_require unconfined_service_t) + (allow utype unconfined_service_t (dbus (send_msg))) + (allow unconfined_service_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_9 + (typeattributeset cil_gen_require accountsd_t) + (allow utype accountsd_t (dbus (send_msg))) + (allow accountsd_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_10 + (typeattributeset cil_gen_require avahi_t) + (allow utype avahi_t (dbus (send_msg))) + (allow avahi_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_11 + (typeattributeset cil_gen_require bluetooth_t) + (allow utype bluetooth_t (dbus (send_msg))) + (allow bluetooth_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_12 + (typeattributeset cil_gen_require colord_t) + (allow utype colord_t (dbus (send_msg))) + (allow colord_t utype (dbus (send_msg))) + (allow colord_t utype (dir (ioctl read getattr lock open search))) + (allow colord_t utype (file (ioctl read getattr lock open))) + (allow colord_t utype (lnk_file (read getattr))) + (allow colord_t utype (process (getattr))) + ) + (optional confinedom_graphical_login_optional_13 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require consolekit_t) + (typeattributeset cil_gen_require consolekit_log_t) + (typeattributeset cil_gen_require var_log_t) + (allow utype consolekit_t (dbus (send_msg))) + (allow consolekit_t utype (dbus (send_msg))) + (allow utype consolekit_log_t (dir (getattr open search))) + (allow utype consolekit_log_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (getattr open search))) + ) + (optional confinedom_graphical_login_optional_14 + (typeattributeset cil_gen_require devicekit_t) + (typeattributeset cil_gen_require devicekit_power_t) + (typeattributeset cil_gen_require devicekit_disk_t) + (allow utype devicekit_t (dbus (send_msg))) + (allow devicekit_t utype (dbus (send_msg))) + (allow utype devicekit_power_t (dbus (send_msg))) + (allow devicekit_power_t utype (dbus (send_msg))) + (allow utype devicekit_disk_t (dbus (send_msg))) + (allow devicekit_disk_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_15 + (typeattributeset cil_gen_require evolution_t) + (typeattributeset cil_gen_require evolution_alarm_t) + (allow utype evolution_t (dbus (send_msg))) + (allow evolution_t utype (dbus (send_msg))) + (allow utype evolution_alarm_t (dbus (send_msg))) + (allow evolution_alarm_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_16 + (typeattributeset cil_gen_require firewalld_t) + (allow utype firewalld_t (dbus (send_msg))) + (allow firewalld_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_17 + (typeattributeset cil_gen_require geoclue_t) + (allow utype geoclue_t (dbus (send_msg))) + (allow geoclue_t utype (dbus (send_msg))) + (allow geoclue_t utype (dir (ioctl read getattr lock open search))) + (allow geoclue_t utype (file (ioctl read getattr lock open))) + (allow geoclue_t utype (lnk_file (read getattr))) + (allow geoclue_t utype (process (getattr))) + ) + (optional confinedom_graphical_login_optional_18 + (typeattributeset cil_gen_require gconfdefaultsm_t) + (allow utype gconfdefaultsm_t (dbus (send_msg))) + (allow gconfdefaultsm_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_19 + (typeattributeset cil_gen_require fprintd_t) + (allow utype fprintd_t (dbus (send_msg))) + (allow fprintd_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_20 + (typeattributeset cil_gen_require fwupd_t) + (allow utype fwupd_t (dbus (send_msg))) + (allow fwupd_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_21 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require hwloc_dhwd_exec_t) + (typeattributeset cil_gen_require hwloc_var_run_t) + (allow utype hwloc_dhwd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype hwloc_var_run_t (dir (getattr open search))) + (allow utype hwloc_var_run_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_graphical_login_optional_22 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require memcached_t) + (typeattributeset cil_gen_require memcached_var_run_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype memcached_var_run_t (dir (getattr open search))) + (allow utype memcached_var_run_t (sock_file (write getattr append open))) + (allow utype memcached_t (unix_stream_socket (connectto))) + ) + (optional confinedom_graphical_login_optional_23 + (typeattributeset cil_gen_require modemmanager_t) + (allow utype modemmanager_t (dbus (send_msg))) + (allow modemmanager_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_24 + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require NetworkManager_t) + (typeattributeset cil_gen_require NetworkManager_var_lib_t) + (allow utype NetworkManager_t (dbus (send_msg))) + (allow NetworkManager_t utype (dbus (send_msg))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype NetworkManager_var_lib_t (dir (getattr open search))) + (allow utype NetworkManager_var_lib_t (dir (ioctl read getattr lock open search))) + (allow utype NetworkManager_var_lib_t (dir (getattr open search))) + (allow utype NetworkManager_var_lib_t (file (ioctl read getattr lock open))) + (allow utype NetworkManager_var_lib_t (file (map))) + ) + (optional confinedom_graphical_login_optional_25 + (typeattributeset cil_gen_require policykit_t) + (allow policykit_t utype (dir (ioctl read getattr lock open search))) + (allow policykit_t utype (file (ioctl read getattr lock open))) + (allow policykit_t utype (lnk_file (read getattr))) + (allow policykit_t utype (process (getattr))) + (allow utype policykit_t (dbus (send_msg))) + (allow policykit_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_26 + (typeattributeset cil_gen_require rpm_t) + (allow utype rpm_t (dbus (send_msg))) + (allow rpm_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_27 + (typeattributeset cil_gen_require vpnc_t) + (allow utype vpnc_t (dbus (send_msg))) + (allow vpnc_t utype (dbus (send_msg))) + ) + ) + (optional confinedom_graphical_login_optional_28 + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require rpm_var_lib_t) + (typeattributeset cil_gen_require rpm_var_cache_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype rpm_var_lib_t (dir (ioctl read getattr lock open search))) + (allow utype rpm_var_lib_t (dir (getattr open search))) + (allow utype rpm_var_lib_t (file (ioctl read getattr lock open))) + (allow utype rpm_var_lib_t (dir (getattr open search))) + (allow utype rpm_var_lib_t (lnk_file (read getattr))) + (allow utype rpm_var_lib_t (file (map))) + (allow utype var_t (dir (getattr open search))) + (allow utype rpm_var_cache_t (dir (ioctl read getattr lock open search))) + (allow utype rpm_var_cache_t (dir (getattr open search))) + (allow utype rpm_var_cache_t (file (ioctl read getattr lock open))) + (allow utype rpm_var_cache_t (dir (getattr open search))) + (allow utype rpm_var_cache_t (lnk_file (read getattr))) + ) + (optional confinedom_graphical_login_optional_29 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require systemd_logind_t) + (typeattributeset cil_gen_require systemd_timedated_t) + (typeattributeset cil_gen_require systemd_hostnamed_t) + (typeattributeset cil_gen_require systemd_localed_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_script_file_type) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_logind_sessions_t) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require systemd_machined_var_run_t) + (typeattributeset cil_gen_require systemd_logind_inhibit_var_run_t) + (allow utype systemd_logind_t (dbus (send_msg))) + (allow systemd_logind_t utype (dbus (send_msg))) + (allow systemd_logind_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_logind_t utype (file (ioctl read getattr lock open))) + (allow systemd_logind_t utype (lnk_file (read getattr))) + (allow systemd_logind_t utype (process (getattr))) + (allow systemd_logind_t utype (process (signal))) + (allow utype systemd_logind_t (fd (use))) + (allow utype systemd_timedated_t (dbus (send_msg))) + (allow systemd_timedated_t utype (dbus (send_msg))) + (allow systemd_timedated_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_timedated_t utype (file (ioctl read getattr lock open))) + (allow systemd_timedated_t utype (lnk_file (read getattr))) + (allow systemd_timedated_t utype (process (getattr))) + (allow utype systemd_hostnamed_t (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open))) + (allow systemd_hostnamed_t utype (lnk_file (read getattr))) + (allow systemd_hostnamed_t utype (process (getattr))) + (allow utype systemd_localed_t (dbus (send_msg))) + (allow systemd_localed_t utype (dbus (send_msg))) + (allow systemd_localed_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_localed_t utype (file (ioctl read getattr lock open))) + (allow systemd_localed_t utype (lnk_file (read getattr))) + (allow systemd_localed_t utype (process (getattr))) + (allow utype systemd_unit_file_type (service (start stop status reload enable disable))) + (allow utype init_script_file_type (service (start stop status reload enable disable))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr watch))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_sessions_t (dir (getattr watch))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_machined_var_run_t (dir (getattr watch))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_sessions_t (dir (ioctl read getattr lock open search))) + (allow utype systemd_logind_sessions_t (dir (getattr open search))) + (allow utype systemd_logind_sessions_t (file (ioctl read getattr lock open))) + (allow utype systemd_logind_inhibit_var_run_t (fifo_file (write))) + ) + (optional confinedom_graphical_login_optional_30 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require cupsd_t) + (typeattributeset cil_gen_require cupsd_var_run_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype cupsd_var_run_t (dir (getattr open search))) + (allow utype cupsd_var_run_t (sock_file (write getattr append open))) + (allow utype cupsd_t (unix_stream_socket (connectto))) + (allow utype cupsd_var_run_t (sock_file (read getattr open))) + ) + (optional confinedom_graphical_login_optional_31 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require mount_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require fusermount_exec_t) + (typeattributeset cil_gen_require fsadm_t) + (typeattributeset cil_gen_require fsadm_exec_t) + (typeattributeset cil_gen_require mount_var_run_t) + (roleattributeset cil_gen_require urole) + (roletype urole mount_t) + (roletype urole fsadm_t) + (allow utype fusermount_exec_t (file (ioctl read getattr map execute open))) + (allow utype mount_t (process (transition))) + (typetransition utype fusermount_exec_t process mount_t) + (allow mount_t utype (fd (use))) + (allow mount_t utype (fifo_file (ioctl read write getattr lock append))) + (allow mount_t utype (process (sigchld))) + (allow mount_t utype (dir (ioctl read getattr lock open search))) + (allow mount_t utype (file (ioctl read getattr lock open))) + (allow mount_t utype (lnk_file (read getattr))) + (allow mount_t utype (process (getattr))) + (allow mount_t utype (unix_stream_socket (read write))) + (allow utype mount_t (fd (use))) + (allow mount_t bin_t (dir (getattr open search))) + (allow mount_t bin_t (lnk_file (read getattr))) + (allow mount_t bin_t (dir (getattr open search))) + (allow mount_t bin_t (dir (getattr open search))) + (allow mount_t fsadm_exec_t (file (ioctl read getattr map execute open))) + (allow mount_t fsadm_t (process (transition))) + (typetransition mount_t fsadm_exec_t process fsadm_t) + (allow fsadm_t mount_t (fd (use))) + (allow fsadm_t mount_t (fifo_file (ioctl read write getattr lock append))) + (allow fsadm_t mount_t (process (sigchld))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (file (ioctl read getattr lock open))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + ) + (optional confinedom_graphical_login_optional_32 + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require pulseaudio_tmpfsfile) + (typeattributeset cil_gen_require pulseaudio_t) + (typeattributeset cil_gen_require pulseaudio_exec_t) + (typeattributeset cil_gen_require pulseaudio_tmpfs_t) + (typeattributeset cil_gen_require user_tmp_type) + (typeattributeset cil_gen_require pulseaudio_home_t) + (roleattributeset cil_gen_require urole) + (roletype urole user_tmp_t) + (roletype urole pulseaudio_t) + (allow utype pulseaudio_exec_t (file (ioctl read getattr map execute open))) + (allow utype pulseaudio_t (process (transition))) + (typetransition utype pulseaudio_exec_t process pulseaudio_t) + (allow pulseaudio_t utype (fd (use))) + (allow pulseaudio_t utype (fifo_file (ioctl read write getattr lock append))) + (allow pulseaudio_t utype (process (sigchld))) + (allow utype pulseaudio_t (dir (ioctl read getattr lock open search))) + (allow utype pulseaudio_t (file (ioctl read getattr lock open))) + (allow utype pulseaudio_t (lnk_file (read getattr))) + (allow utype pulseaudio_t (process (getattr))) + (allow pulseaudio_t utype (process (signull signal))) + (allow utype pulseaudio_t (process (sigkill signull signal))) + (allow utype pulseaudio_t (process2 (nnp_transition))) + (allow pulseaudio_t utype (dir (ioctl read getattr lock open search))) + (allow pulseaudio_t utype (file (ioctl read getattr lock open))) + (allow pulseaudio_t utype (lnk_file (read getattr))) + (allow pulseaudio_t utype (process (getattr))) + (allow pulseaudio_t utype (unix_stream_socket (connectto))) + (allow utype pulseaudio_t (unix_stream_socket (connectto))) + (allow utype pulseaudio_tmpfsfile (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype pulseaudio_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype pulseaudio_tmpfsfile (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype pulseaudio_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (typemember pulseaudio_t tmp_t dir user_tmp_t) + (allow pulseaudio_t user_tmp_type (dir (mounton))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow pulseaudio_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition pulseaudio_t tmp_t fifo_file user_tmp_t) + (typetransition pulseaudio_t tmp_t sock_file user_tmp_t) + (typetransition pulseaudio_t tmp_t lnk_file user_tmp_t) + (typetransition pulseaudio_t tmp_t dir user_tmp_t) + (typetransition pulseaudio_t tmp_t file user_tmp_t) + (allow user_tmp_t tmpfs_t (filesystem (associate))) + (allow pulseaudio_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition pulseaudio_t tmpfs_t fifo_file user_tmp_t) + (typetransition pulseaudio_t tmpfs_t sock_file user_tmp_t) + (typetransition pulseaudio_t tmpfs_t lnk_file user_tmp_t) + (typetransition pulseaudio_t tmpfs_t dir user_tmp_t) + (typetransition pulseaudio_t tmpfs_t file user_tmp_t) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (dir (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (lnk_file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (sock_file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (fifo_file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (file (map))) + (allow utype pulseaudio_t (dbus (send_msg))) + (allow pulseaudio_t utype (dbus (acquire_svc send_msg))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype user_home_dir_t file ".esd_auth" pulseaudio_home_t) + (typetransition utype user_home_dir_t file ".pulse-cookie" pulseaudio_home_t) + (typetransition utype user_home_dir_t dir ".pulse" pulseaudio_home_t) + (optional confinedom_graphical_login_optional_33 + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require config_home_t) + (allow utype config_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype config_home_t dir "pulse" pulseaudio_home_t) + ) + ) + (optional confinedom_graphical_login_optional_34 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require vdagent_log_t) + (typeattributeset cil_gen_require vdagent_var_run_t) + (typeattributeset cil_gen_require vdagent_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype vdagent_log_t (file (getattr))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype vdagent_var_run_t (dir (getattr open search))) + (allow utype vdagent_var_run_t (sock_file (write getattr append open))) + (allow utype vdagent_t (unix_stream_socket (connectto))) + ) + (optional confinedom_graphical_login_optional_35 + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require rtkit_daemon_t) + (allow rtkit_daemon_t utype (process (getsched setsched))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_t (dir (getattr open search))) + (allow rtkit_daemon_t utype (dir (ioctl read getattr lock open search))) + (allow rtkit_daemon_t utype (file (ioctl read getattr lock open))) + (allow rtkit_daemon_t utype (lnk_file (read getattr))) + (allow rtkit_daemon_t utype (process (getattr))) + (optional confinedom_graphical_login_optional_36 + (typeattributeset cil_gen_require rtkit_daemon_t) + (allow utype rtkit_daemon_t (dbus (send_msg))) + (allow rtkit_daemon_t utype (dbus (send_msg))) + ) + ) + ) +) + +(macro confinedom_mozilla_usage_macro ((type utype) (role urole)) + (optional confinedom_mozilla_usage_optional + (roleattributeset cil_gen_require mozilla_roles) + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require mozilla_t) + (typeattributeset cil_gen_require mozilla_exec_t) + (typeattributeset cil_gen_require mozilla_home_t) + (typeattributeset cil_gen_require mozilla_tmpfs_t) + (typeattributeset cil_gen_require utype) + (optional confinedom_mozilla_usage_optional_3 + (roleattributeset cil_gen_require mozilla_plugin_roles) + (roleattributeset cil_gen_require mozilla_plugin_config_roles) + (typeattributeset cil_gen_require mozilla_t) + (typeattributeset cil_gen_require mozilla_home_t) + (typeattributeset cil_gen_require mozilla_plugin_t) + (typeattributeset cil_gen_require mozilla_plugin_exec_t) + (typeattributeset cil_gen_require mozilla_plugin_config_t) + (typeattributeset cil_gen_require mozilla_plugin_config_exec_t) + (typeattributeset cil_gen_require mozilla_plugin_rw_t) + (typeattributeset cil_gen_require lib_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (roleattributeset cil_gen_require mozilla_plugin_config_roles) + (roleattributeset mozilla_plugin_config_roles (urole )) + (roleattributeset cil_gen_require mozilla_plugin_roles) + (roleattributeset mozilla_plugin_roles (urole )) + (allow utype mozilla_t (process (noatsecure siginh rlimitinh))) + (allow utype mozilla_t (dir (ioctl read getattr lock open search))) + (allow utype mozilla_t (file (ioctl read getattr lock open))) + (allow utype mozilla_t (lnk_file (read getattr))) + (allow utype mozilla_t (process (getattr))) + (allow utype mozilla_t (process (sigchld sigkill sigstop signull signal))) + (allow utype mozilla_t (fd (use))) + (allow utype mozilla_t (shm (getattr associate))) + (allow utype mozilla_t (shm (unix_read unix_write))) + (allow utype mozilla_t (unix_stream_socket (connectto))) + (allow utype mozilla_plugin_exec_t (file (ioctl read getattr map execute open))) + (allow utype mozilla_plugin_t (process (transition))) + (typetransition utype mozilla_plugin_exec_t process mozilla_plugin_t) + (allow mozilla_plugin_t utype (fd (use))) + (allow mozilla_plugin_t utype (fifo_file (ioctl read write getattr lock append))) + (allow mozilla_plugin_t utype (process (sigchld))) + (allow utype mozilla_plugin_config_exec_t (file (ioctl read getattr map execute open))) + (allow utype mozilla_plugin_config_t (process (transition))) + (typetransition utype mozilla_plugin_config_exec_t process mozilla_plugin_config_t) + (allow mozilla_plugin_config_t utype (fd (use))) + (allow mozilla_plugin_config_t utype (fifo_file (ioctl read write getattr lock append))) + (allow mozilla_plugin_config_t utype (process (sigchld))) + (allow mozilla_plugin_t utype (process (signull))) + (dontaudit mozilla_plugin_config_t utype (file (ioctl read getattr lock))) + (dontaudit mozilla_plugin_t utype (process (signal))) + (allow utype mozilla_plugin_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown connectto))) + (allow utype mozilla_plugin_t (fd (use))) + (allow mozilla_plugin_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown))) + (allow mozilla_plugin_t utype (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown sendto))) + (allow mozilla_plugin_t utype (shm (destroy getattr read write associate unix_read unix_write lock))) + (allow mozilla_plugin_t utype (sem (create destroy getattr setattr read write associate unix_read unix_write))) + (allow utype mozilla_plugin_t (sem (getattr read write associate unix_read unix_write))) + (allow utype mozilla_plugin_t (shm (getattr read write associate unix_read unix_write lock))) + (allow utype mozilla_plugin_t (fifo_file (ioctl read write getattr lock append open))) + (allow utype mozilla_plugin_t (dir (ioctl read getattr lock open search))) + (allow utype mozilla_plugin_t (file (ioctl read getattr lock open))) + (allow utype mozilla_plugin_t (lnk_file (read getattr))) + (allow utype mozilla_plugin_t (process (getattr))) + (allow mozilla_plugin_t utype (dir (ioctl read getattr lock open search))) + (allow mozilla_plugin_t utype (file (ioctl read getattr lock open))) + (allow mozilla_plugin_t utype (lnk_file (read getattr))) + (allow mozilla_plugin_t utype (process (getattr))) + (allow utype mozilla_plugin_t (process (sigchld sigkill sigstop signull signal noatsecure))) + (allow utype mozilla_plugin_rw_t (dir (getattr open search))) + (allow utype mozilla_plugin_rw_t (dir (ioctl read getattr lock open search))) + (allow utype mozilla_plugin_rw_t (dir (getattr open search))) + (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock open))) + (allow utype mozilla_plugin_rw_t (dir (getattr open search))) + (allow utype mozilla_plugin_rw_t (lnk_file (read getattr))) + (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype mozilla_plugin_t (dbus (send_msg))) + (allow mozilla_plugin_t utype (dbus (send_msg))) + (allow mozilla_plugin_t utype (process (signull))) + (allow utype mozilla_t (dbus (send_msg))) + (allow mozilla_t utype (dbus (send_msg))) + (allow utype mozilla_plugin_rw_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype user_home_dir_t dir ".webex" mozilla_home_t) + (typetransition utype user_home_dir_t file "mozilla.pdf" mozilla_home_t) + (typetransition utype user_home_dir_t file ".gnashpluginrc" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".IBMERS" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".lyx" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".juniper_networks" mozilla_home_t) + (typetransition utype user_home_dir_t dir "zimbrauserdata" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".ICAClient" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".spicec" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".quakelive" mozilla_home_t) + (typetransition utype user_home_dir_t file "abc" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".icedtea" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".icedteaplugin" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".gcjwebplugin" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".grl-podcasts" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".gnash" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".macromedia" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".adobe" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".phoenix" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".netscape" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".thunderbird" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".mozilla" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".java" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".galeon" mozilla_home_t) + (typetransition utype mozilla_plugin_rw_t file "nswrapper_32_64.nppdf.so" lib_t) + (booleanif (deny_ptrace) + (false + (allow utype mozilla_plugin_t (process (ptrace))) + ) + ) + (optional confinedom_mozilla_usage_optional_4 + (roleattributeset cil_gen_require lpr_roles) + (typeattributeset cil_gen_require lpr_t) + (typeattributeset cil_gen_require lpr_exec_t) + (roleattributeset cil_gen_require lpr_roles) + (roleattributeset lpr_roles (urole )) + (allow mozilla_plugin_t lpr_exec_t (file (ioctl read getattr map execute open))) + (allow mozilla_plugin_t lpr_t (process (transition))) + (typetransition mozilla_plugin_t lpr_exec_t process lpr_t) + (allow lpr_t mozilla_plugin_t (fd (use))) + (allow lpr_t mozilla_plugin_t (fifo_file (ioctl read write getattr lock append))) + (allow lpr_t mozilla_plugin_t (process (sigchld))) + ) + (optional confinedom_mozilla_usage_optional_5 + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require cache_home_t) + (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype cache_home_t dir "icedtea-web" mozilla_home_t) + (typetransition utype cache_home_t dir "mozilla" mozilla_home_t) + ) + ) + ) +) + +(macro confinedom_networking_macro ((type utype) (role urole)) + (optional confinedom_networking_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require ping_t) + (typeattributeset cil_gen_require ping_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require traceroute_t) + (typeattributeset cil_gen_require traceroute_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole ping_t) + (roletype urole traceroute_t) + (booleanif (selinuxuser_ping) + (true + (allow utype ping_t (process (sigkill signal))) + (allow ping_t utype (process (sigchld))) + (allow ping_t utype (fifo_file (ioctl read write getattr lock append))) + (allow ping_t utype (fd (use))) + (typetransition utype ping_exec_t process ping_t) + (allow utype ping_t (process (transition))) + (allow utype ping_exec_t (file (ioctl read getattr map execute open))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype traceroute_t (process (sigkill signal))) + (allow traceroute_t utype (process (sigchld))) + (allow traceroute_t utype (fifo_file (ioctl read write getattr lock append))) + (allow traceroute_t utype (fd (use))) + (typetransition utype traceroute_exec_t process traceroute_t) + (allow utype traceroute_t (process (transition))) + (allow utype traceroute_exec_t (file (ioctl read getattr map execute open))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + ) + ) + ) +) + +(macro confinedom_security_advanced_macro ((type utype) (role urole) (type sudo_type) (type userhelper_type)) + (optional confinedom_security_advanced_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require sudo_type) + (typeattributeset cil_gen_require auditd_log_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require auditd_etc_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require can_setenforce) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require secure_mode_policyload_t) + (typeattributeset cil_gen_require boolean_type) + (typeattributeset cil_gen_require can_setbool) + (typeattributeset cil_gen_require semanage_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require semanage_store_t) + (typeattributeset cil_gen_require selinux_login_config_t) + (typeattributeset cil_gen_require semanage_exec_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require setfiles_t) + (typeattributeset cil_gen_require setfiles_exec_t) + (typeattributeset cil_gen_require load_policy_t) + (typeattributeset cil_gen_require load_policy_exec_t) + (typeattributeset cil_gen_require newrole_t) + (typeattributeset cil_gen_require newrole_exec_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (roleattributeset cil_gen_require urole) + (roletype urole semanage_t) + (roletype urole setfiles_t) + (roletype urole load_policy_t) + (roletype urole newrole_t) + (roletype urole updpwd_t) + (typeattributeset cil_gen_require can_setbool) + (typeattributeset can_setbool (utype )) + (typeattributeset cil_gen_require can_setenforce) + (typeattributeset can_setenforce (utype )) + (allow utype var_t (dir (getattr open search))) + (allow utype auditd_log_t (dir (getattr open search))) + (allow utype auditd_log_t (file (ioctl read getattr lock open))) + (allow utype auditd_log_t (dir (getattr open search))) + (allow utype auditd_log_t (lnk_file (read getattr))) + (allow utype auditd_log_t (dir (ioctl read getattr lock open search))) + (allow utype etc_t (dir (getattr open search))) + (allow utype auditd_etc_t (dir (getattr open search))) + (allow utype auditd_etc_t (file (ioctl read getattr lock open))) + (allow utype auditd_etc_t (dir (ioctl read getattr lock open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype boolean_type (dir (ioctl read getattr lock open search))) + (allow utype boolean_type (file (ioctl read write getattr lock append open))) + (allow semanage_t utype (dir (ioctl read getattr lock open search))) + (allow semanage_t utype (file (ioctl read getattr lock open))) + (allow semanage_t utype (lnk_file (read getattr))) + (allow semanage_t utype (process (getattr))) + (allow utype semanage_t (dbus (send_msg))) + (allow semanage_t utype (dbus (send_msg))) + (allow utype etc_t (dir (getattr open search))) + (allow utype var_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype selinux_login_config_t (dir (ioctl read getattr lock open search))) + (allow utype selinux_login_config_t (dir (getattr open search))) + (allow utype selinux_login_config_t (file (ioctl read getattr lock open))) + (allow utype selinux_login_config_t (dir (getattr open search))) + (allow utype selinux_login_config_t (lnk_file (read getattr))) + (allow sudo_type usr_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type semanage_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type semanage_t (process (transition))) + (typetransition sudo_type semanage_exec_t process semanage_t) + (allow semanage_t sudo_type (fd (use))) + (allow semanage_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow semanage_t sudo_type (process (sigchld))) + (allow semanage_t usr_t (dir (getattr open search))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (lnk_file (read getattr))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t setfiles_exec_t (file (ioctl read getattr map execute open))) + (allow semanage_t setfiles_t (process (transition))) + (typetransition semanage_t setfiles_exec_t process setfiles_t) + (allow setfiles_t semanage_t (fd (use))) + (allow setfiles_t semanage_t (fifo_file (ioctl read write getattr lock append))) + (allow setfiles_t semanage_t (process (sigchld))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (lnk_file (read getattr))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t load_policy_exec_t (file (ioctl read getattr map execute open))) + (allow semanage_t load_policy_t (process (transition))) + (typetransition semanage_t load_policy_exec_t process load_policy_t) + (allow load_policy_t semanage_t (fd (use))) + (allow load_policy_t semanage_t (fifo_file (ioctl read write getattr lock append))) + (allow load_policy_t semanage_t (process (sigchld))) + (allow utype usr_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype newrole_exec_t (file (ioctl read getattr map execute open))) + (allow utype newrole_t (process (transition))) + (typetransition utype newrole_exec_t process newrole_t) + (allow newrole_t utype (fd (use))) + (allow newrole_t utype (fifo_file (ioctl read write getattr lock append))) + (allow newrole_t utype (process (sigchld))) + (allow newrole_t updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow newrole_t updpwd_t (process (transition))) + (typetransition newrole_t updpwd_exec_t process updpwd_t) + (allow updpwd_t newrole_t (fd (use))) + (allow updpwd_t newrole_t (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t newrole_t (process (sigchld))) + (dontaudit newrole_t shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type usr_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type setfiles_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type setfiles_t (process (transition))) + (typetransition sudo_type setfiles_exec_t process setfiles_t) + (allow setfiles_t sudo_type (fd (use))) + (allow setfiles_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow setfiles_t sudo_type (process (sigchld))) + (typetransition utype selinux_config_t dir "tmp" semanage_store_t) + (typetransition utype selinux_config_t dir "previous" semanage_store_t) + (typetransition utype selinux_config_t dir "active" semanage_store_t) + (typetransition utype selinux_config_t dir "modules" semanage_store_t) + (optional confinedom_security_advanced_optional_3 + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require setfiles_t) + (typeattributeset cil_gen_require setfiles_exec_t) + (typeattributeset cil_gen_require namespace_init_t) + (typeattributeset cil_gen_require namespace_init_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole setfiles_t) + (roletype urole namespace_init_t) + (allow newrole_t namespace_init_exec_t (file (ioctl read getattr map execute open))) + (allow newrole_t namespace_init_t (process (transition))) + (typetransition newrole_t namespace_init_exec_t process namespace_init_t) + (allow namespace_init_t newrole_t (fd (use))) + (allow namespace_init_t newrole_t (fifo_file (ioctl read write getattr lock append))) + (allow namespace_init_t newrole_t (process (sigchld))) + (allow namespace_init_t usr_t (dir (getattr open search))) + (allow namespace_init_t bin_t (dir (getattr open search))) + (allow namespace_init_t bin_t (lnk_file (read getattr))) + (allow namespace_init_t bin_t (dir (getattr open search))) + (allow namespace_init_t bin_t (dir (getattr open search))) + (allow namespace_init_t setfiles_exec_t (file (ioctl read getattr map execute open))) + (allow namespace_init_t setfiles_t (process (transition))) + (typetransition namespace_init_t setfiles_exec_t process setfiles_t) + (allow setfiles_t namespace_init_t (fd (use))) + (allow setfiles_t namespace_init_t (fifo_file (ioctl read write getattr lock append))) + (allow setfiles_t namespace_init_t (process (sigchld))) + ) + (optional confinedom_security_advanced_optional_4 + (roletype object_r userhelper_type) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require userhelper_type) + (typeattributeset cil_gen_require userhelper_exec_t) + (typeattributeset cil_gen_require userhelper_conf_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset cil_gen_require privfd) + (typeattributeset cil_gen_require can_change_process_identity) + (typeattributeset cil_gen_require sysctl_type) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require proc_net_t) + (typeattributeset cil_gen_require debugfs_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require urandom_device_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require etc_runtime_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require autofs_t) + (typeattributeset cil_gen_require nfs_t) + (typeattributeset cil_gen_require devpts_t) + (typeattributeset cil_gen_require ttynode) + (typeattributeset cil_gen_require ptynode) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require auth_cache_t) + (typeattributeset cil_gen_require random_device_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require faillog_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require cert_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pam_var_run_t) + (typeattributeset cil_gen_require var_auth_t) + (typeattributeset cil_gen_require pam_var_console_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require initrc_var_run_t) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require unpriv_userdomain) + (roleattributeset cil_gen_require urole) + (roletype urole userhelper_type) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (userhelper_type )) + (typeattributeset cil_gen_require can_change_process_identity) + (typeattributeset can_change_process_identity (userhelper_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (userhelper_type )) + (typeattributeset cil_gen_require privfd) + (typeattributeset privfd (userhelper_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (userhelper_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (userhelper_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (userhelper_exec_t )) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset can_change_object_identity (userhelper_type )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (userhelper_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (userhelper_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (userhelper_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (userhelper_type )) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset can_change_process_role (userhelper_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (userhelper_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (userhelper_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (userhelper_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (userhelper_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (userhelper_type )) + (typeattributeset cil_gen_require userhelper_type) + (allow userhelper_type userhelper_exec_t (file (entrypoint))) + (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open))) + (allow userhelper_type self (capability (chown dac_read_search setgid setuid net_bind_service sys_tty_config))) + (allow userhelper_type self (process (fork transition sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit))) + (allow userhelper_type self (process (setexec))) + (allow userhelper_type self (fd (use))) + (allow userhelper_type self (fifo_file (ioctl read write getattr lock append open))) + (allow userhelper_type self (shm (create destroy getattr setattr read write associate unix_read unix_write lock))) + (allow userhelper_type self (sem (create destroy getattr setattr read write associate unix_read unix_write))) + (allow userhelper_type self (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue))) + (allow userhelper_type self (msg (send receive))) + (allow userhelper_type self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow userhelper_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow userhelper_type self (unix_dgram_socket (sendto))) + (allow userhelper_type self (unix_stream_socket (connectto))) + (allow userhelper_type self (sock_file (read getattr open))) + (allow utype userhelper_exec_t (file (ioctl read getattr map execute open))) + (allow utype userhelper_type (process (transition))) + (typetransition utype userhelper_exec_t process userhelper_type) + (allow userhelper_type utype (fd (use))) + (allow userhelper_type utype (fifo_file (ioctl read write getattr lock append))) + (allow userhelper_type utype (process (sigchld))) + (allow userhelper_type userhelper_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type userhelper_conf_t (dir (getattr open search))) + (allow userhelper_type userhelper_conf_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (dontaudit utype userhelper_type (process (signal))) + (allow userhelper_type sysctl_type (dir (getattr open search))) + (allow userhelper_type proc_t (dir (getattr open search))) + (allow userhelper_type proc_net_t (dir (getattr open search))) + (allow userhelper_type sysctl_type (file (ioctl read getattr lock open))) + (allow userhelper_type proc_t (dir (getattr open search))) + (allow userhelper_type proc_net_t (dir (getattr open search))) + (allow userhelper_type sysctl_type (dir (ioctl read getattr lock open search))) + (allow userhelper_type debugfs_t (filesystem (getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow userhelper_type shell_exec_t (file (map))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) + (allow userhelper_type utype (process (transition))) + (allow userhelper_type usr_t (dir (getattr open search))) + (allow userhelper_type usr_t (lnk_file (read getattr))) + (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) + (allow userhelper_type utype (process (transition))) + (typetransition userhelper_type bin_t process utype) + (typetransition userhelper_type usr_t process utype) + (allow userhelper_type privfd (fd (use))) + (allow userhelper_type privfd (process (sigchld))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_lib_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type etc_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_t (file (ioctl read getattr lock open))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_t (lnk_file (read getattr))) + (allow userhelper_type etc_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_runtime_t (file (ioctl read getattr lock open))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_runtime_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_t (file (ioctl read getattr lock open))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type home_root_t (dir (getattr open search))) + (allow userhelper_type home_root_t (lnk_file (read getattr))) + (allow userhelper_type autofs_t (dir (getattr open search))) + (allow userhelper_type autofs_t (dir (getattr open search))) + (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type nfs_t (dir (getattr open search))) + (allow userhelper_type nfs_t (file (ioctl read getattr lock open))) + (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type nfs_t (dir (getattr open search))) + (allow userhelper_type nfs_t (lnk_file (read getattr))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append map open))) + (allow userhelper_type security_t (security (check_context))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_av))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_create))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_relabel))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_user))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type ttynode (chr_file (getattr relabelfrom relabelto))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type devpts_t (dir (getattr open search))) + (allow userhelper_type devpts_t (chr_file (getattr relabelfrom relabelto))) + (allow userhelper_type ptynode (chr_file (getattr relabelfrom relabelto))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type ttynode (chr_file (ioctl read write getattr lock append open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type ptynode (chr_file (ioctl read write getattr lock append open))) + (allow userhelper_type auth_cache_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type chkpwd_t (process (transition))) + (typetransition userhelper_type chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t userhelper_type (fd (use))) + (allow chkpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t userhelper_type (process (sigchld))) + (allow userhelper_type chkpwd_exec_t (file (map))) + (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type random_device_t (chr_file (ioctl read getattr lock open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_log_t (dir (getattr open search))) + (allow userhelper_type faillog_t (dir (getattr open search))) + (allow userhelper_type faillog_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type self (capability (audit_write))) + (allow userhelper_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) + (allow userhelper_type cert_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type cert_t (dir (getattr open search))) + (allow userhelper_type cert_t (file (ioctl read getattr lock open))) + (allow userhelper_type cert_t (dir (getattr open search))) + (allow userhelper_type cert_t (lnk_file (read getattr))) + (allow userhelper_type updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type updpwd_t (process (transition))) + (typetransition userhelper_type updpwd_exec_t process updpwd_t) + (allow updpwd_t userhelper_type (fd (use))) + (allow updpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t userhelper_type (process (sigchld))) + (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pam_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow userhelper_type pam_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_auth_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_auth_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_auth_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pam_var_console_t (dir (getattr open search))) + (allow userhelper_type init_t (fd (use))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type initrc_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type selinux_config_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (file (ioctl read getattr lock open))) + (allow userhelper_type selinux_config_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (lnk_file (read getattr))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (dir (getattr open search))) + (allow userhelper_type default_context_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type default_context_t (dir (getattr open search))) + (allow userhelper_type default_context_t (file (ioctl read getattr lock open))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) + (allow userhelper_type unpriv_userdomain (process (transition))) + (allow userhelper_type usr_t (dir (getattr open search))) + (allow userhelper_type usr_t (lnk_file (read getattr))) + (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) + (allow userhelper_type unpriv_userdomain (process (transition))) + (allow unpriv_userdomain userhelper_type (fd (use))) + (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow unpriv_userdomain userhelper_type (process (sigchld))) + (allow userhelper_type entry_type (file (ioctl read getattr map execute open))) + (allow userhelper_type unpriv_userdomain (process (transition))) + (allow unpriv_userdomain userhelper_type (fd (use))) + (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow unpriv_userdomain userhelper_type (process (sigchld))) + (typetransition userhelper_type var_run_t file "utmp" initrc_var_run_t) + (typetransition userhelper_type var_run_t dir "sudo" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "sepermit" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "pam_timestamp" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "pam_ssh" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "pam_mount" pam_var_run_t) + (optional confinedom_security_advanced_optional_5 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_keytab_t) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type krb5_keytab_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type krb5_keytab_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_security_advanced_optional_6 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require pcscd_var_run_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pcscd_t) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (file (ioctl read getattr lock open))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (sock_file (write getattr append open))) + (allow userhelper_type pcscd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_security_advanced_optional_7 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require samba_var_t) + (typeattributeset cil_gen_require winbind_t) + (typeattributeset cil_gen_require winbind_var_run_t) + (typeattributeset cil_gen_require smbd_var_run_t) + (typeattributeset cil_gen_require samba_etc_t) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type smbd_var_run_t (dir (getattr open search))) + (allow userhelper_type samba_var_t (dir (getattr open search))) + (allow userhelper_type winbind_var_run_t (dir (getattr open search))) + (allow userhelper_type winbind_var_run_t (sock_file (write getattr append open))) + (allow userhelper_type winbind_t (unix_stream_socket (connectto))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type samba_etc_t (dir (getattr open search))) + (allow userhelper_type samba_etc_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type samba_etc_t (dir (getattr open search))) + (allow userhelper_type samba_etc_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_security_advanced_optional_8 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require rpm_t) + (typeattributeset cil_gen_require rpm_exec_t) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset cil_gen_require debuginfo_exec_t) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset rpm_transition_domain (userhelper_type )) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type rpm_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type rpm_t (process (transition))) + (typetransition userhelper_type rpm_exec_t process rpm_t) + (allow rpm_t userhelper_type (fd (use))) + (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t userhelper_type (process (sigchld))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type debuginfo_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type rpm_t (process (transition))) + (typetransition userhelper_type debuginfo_exec_t process rpm_t) + (allow rpm_t userhelper_type (fd (use))) + (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t userhelper_type (process (sigchld))) + (allow userhelper_type debuginfo_exec_t (dir (getattr open search))) + (allow userhelper_type debuginfo_exec_t (lnk_file (read getattr))) + ) + (optional confinedom_security_advanced_optional_9 + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require sysadm_t) + (booleanif (secure_mode) + (false + (allow sysadm_t userhelper_type (process (sigchld))) + (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow sysadm_t userhelper_type (fd (use))) + (allow userhelper_type sysadm_t (process (transition))) + (allow userhelper_type entry_type (file (ioctl read getattr map execute open))) + (allow sysadm_t userhelper_type (process (sigchld))) + (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow sysadm_t userhelper_type (fd (use))) + (allow userhelper_type sysadm_t (process (transition))) + (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) + (allow userhelper_type usr_t (lnk_file (read getattr))) + (allow userhelper_type usr_t (dir (getattr open search))) + (allow userhelper_type sysadm_t (process (transition))) + (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + ) + ) + ) + ) + ) +) + +(macro confinedom_security_basic_macro ((type utype) (role urole)) + (optional confinedom_security_basic_optional_2 + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require can_load_policy) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require can_load_policy) + (typeattributeset can_load_policy (utype )) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read getattr lock open))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (security (read_policy))) + ) +) + +(macro confinedom_sudo_macro ((type utype) (role urole) (type sudo_type) (type sudo_tmp_type)) + (optional confinedom_sudo_optional + ;(type sudo_type) + (roletype object_r sudo_type) + ;(type sudo_tmp_type) + (roletype object_r sudo_tmp_type) + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require sudo_type) + (typeattributeset cil_gen_require kernel_t) + (typeattributeset cil_gen_require sudo_exec_t) + (typeattributeset cil_gen_require sudo_db_t) + (typeattributeset cil_gen_require sudodomain) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require privfd) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require tmpfile) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require polymember) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require auth_cache_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require random_device_t) + (typeattributeset cil_gen_require urandom_device_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require faillog_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require cert_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require syslogd_var_run_t) + (typeattributeset cil_gen_require devpts_t) + (typeattributeset cil_gen_require sshd_devpts_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_script_file_type) + (roleattributeset cil_gen_require urole) + (roletype urole sudo_type) + (roletype urole chkpwd_t) + (roletype urole updpwd_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (sudo_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (sudo_type )) + (typeattributeset cil_gen_require privfd) + (typeattributeset privfd (sudo_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (sudo_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (sudo_exec_t sudo_tmp_type )) + (typeattributeset cil_gen_require tmpfile) + (typeattributeset tmpfile (sudo_tmp_type )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (sudo_exec_t sudo_tmp_type )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (sudo_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (sudo_type )) + (typeattributeset cil_gen_require polymember) + (typeattributeset polymember (sudo_tmp_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (sudo_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (sudo_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (sudo_type )) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset can_change_process_role (sudo_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (sudo_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (sudo_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (sudo_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (sudo_exec_t sudo_tmp_type )) + (typeattributeset cil_gen_require sudodomain) + (typeattributeset sudodomain (sudo_type )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (sudo_type )) + (allow sudo_type kernel_t (system (module_request))) + (allow sudo_type sudo_exec_t (file (entrypoint))) + (allow sudo_type sudo_exec_t (file (ioctl read getattr lock map execute open))) + (allow sudo_type sudo_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition sudo_type tmp_t file sudo_tmp_type) + (allow sudo_type utype (dir (getattr open search))) + (allow sudo_type utype (file (ioctl read getattr lock open))) + (allow sudo_type utype (key (search))) + (allow sudo_type utype (unix_stream_socket (read write connectto))) + (allow utype sudo_exec_t (file (ioctl read getattr map execute open))) + (allow utype sudo_type (process (transition))) + (typetransition utype sudo_exec_t process sudo_type) + (allow sudo_type utype (fd (use))) + (allow sudo_type utype (fifo_file (ioctl read write getattr lock append))) + (allow sudo_type utype (process (sigchld))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (ioctl read getattr lock open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type shell_exec_t process utype) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (allow sudo_type usr_t (dir (getattr open search))) + (allow sudo_type usr_t (lnk_file (read getattr))) + (allow sudo_type usr_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type bin_t process utype) + (typetransition sudo_type usr_t process utype) + (allow sudo_type user_home_t (dir (getattr open search))) + (allow sudo_type user_home_t (lnk_file (read getattr))) + (allow sudo_type user_home_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type user_home_t process utype) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type user_tmp_t (dir (getattr open search))) + (allow sudo_type user_tmp_t (lnk_file (read getattr))) + (allow sudo_type user_tmp_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type user_tmp_t process utype) + (allow utype sudo_exec_t (file (entrypoint))) + (allow utype sudo_exec_t (file (ioctl read getattr lock map execute open))) + (allow sudo_type sudo_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type sudo_exec_t process utype) + (allow utype sudo_type (fd (use))) + (allow utype sudo_type (fifo_file (ioctl read write getattr lock append open))) + (allow utype sudo_type (process (sigchld sigkill sigstop signull signal))) + (allow sudo_type security_t (lnk_file (read getattr))) + (allow sudo_type sysfs_t (filesystem (getattr))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type security_t (filesystem (getattr))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (dir (ioctl read getattr lock open search))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (file (ioctl read getattr lock open))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (lnk_file (read getattr))) + (allow sudo_type auth_cache_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type chkpwd_t (process (transition))) + (typetransition sudo_type chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t sudo_type (fd (use))) + (allow chkpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t sudo_type (process (sigchld))) + (allow sudo_type chkpwd_exec_t (file (map))) + (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type random_device_t (chr_file (ioctl read getattr lock open))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_log_t (dir (getattr open search))) + (allow sudo_type faillog_t (dir (getattr open search))) + (allow sudo_type faillog_t (file (ioctl read write getattr lock append open))) + (allow sudo_type self (capability (audit_write))) + (allow sudo_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) + (allow sudo_type cert_t (dir (ioctl read getattr lock open search))) + (allow sudo_type cert_t (dir (getattr open search))) + (allow sudo_type cert_t (file (ioctl read getattr lock open))) + (allow sudo_type cert_t (dir (getattr open search))) + (allow sudo_type cert_t (lnk_file (read getattr))) + (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type updpwd_t (process (transition))) + (typetransition sudo_type updpwd_exec_t process updpwd_t) + (allow updpwd_t sudo_type (fd (use))) + (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t sudo_type (process (sigchld))) + (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type updpwd_t (process (transition))) + (typetransition sudo_type updpwd_exec_t process updpwd_t) + (allow updpwd_t sudo_type (fd (use))) + (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t sudo_type (process (sigchld))) + (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type syslogd_var_run_t (dir (getattr open search))) + (allow sudo_type syslogd_var_run_t (file (ioctl read getattr lock open map))) + (allow sudo_type syslogd_var_run_t (dir (getattr open search))) + (allow sudo_type syslogd_var_run_t (dir (ioctl read getattr lock open search))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type device_t (dir (ioctl read getattr lock open search))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type device_t (lnk_file (read getattr))) + (allow sudo_type devpts_t (dir (ioctl read getattr lock open search))) + (allow sudo_type devpts_t (chr_file (ioctl read write getattr lock append open))) + (allow sudo_type devpts_t (chr_file (setattr))) + (allow sudo_type sshd_devpts_t (chr_file (ioctl read write getattr lock append))) + (allow sudo_type systemd_unit_file_type (service (start stop status reload enable disable))) + (allow sudo_type init_script_file_type (service (start stop status reload enable disable))) + (optional confinedom_sudo_optional_3 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_keytab_t) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type krb5_keytab_t (dir (ioctl read getattr lock open search))) + (allow sudo_type krb5_keytab_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_sudo_optional_4 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require pcscd_var_run_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pcscd_t) + (allow sudo_type var_t (lnk_file (read getattr))) + (allow sudo_type var_run_t (lnk_file (read getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (file (ioctl read getattr lock open))) + (allow sudo_type var_t (lnk_file (read getattr))) + (allow sudo_type var_run_t (lnk_file (read getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (sock_file (write getattr append open))) + (allow sudo_type pcscd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_sudo_optional_5 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require samba_var_t) + (typeattributeset cil_gen_require winbind_t) + (typeattributeset cil_gen_require winbind_var_run_t) + (typeattributeset cil_gen_require smbd_var_run_t) + (typeattributeset cil_gen_require samba_etc_t) + (allow sudo_type var_t (lnk_file (read getattr))) + (allow sudo_type var_run_t (lnk_file (read getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_run_t (dir (getattr open search))) + (allow sudo_type smbd_var_run_t (dir (getattr open search))) + (allow sudo_type samba_var_t (dir (getattr open search))) + (allow sudo_type winbind_var_run_t (dir (getattr open search))) + (allow sudo_type winbind_var_run_t (sock_file (write getattr append open))) + (allow sudo_type winbind_t (unix_stream_socket (connectto))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type samba_etc_t (dir (getattr open search))) + (allow sudo_type samba_etc_t (dir (ioctl read getattr lock open search))) + (allow sudo_type samba_etc_t (dir (getattr open search))) + (allow sudo_type samba_etc_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_sudo_optional_6 + (typeattributeset cil_gen_require mta_user_agent) + (typeattributeset cil_gen_require user_mail_t) + (typeattributeset cil_gen_require sendmail_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole mta_user_agent) + (roletype urole user_mail_t) + (allow sudo_type sendmail_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type user_mail_t (process (transition))) + (typetransition sudo_type sendmail_exec_t process user_mail_t) + (allow user_mail_t sudo_type (fd (use))) + (allow user_mail_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow user_mail_t sudo_type (process (sigchld))) + (allow sudo_type sendmail_exec_t (lnk_file (read getattr))) + (allow mta_user_agent sudo_type (fd (use))) + (allow mta_user_agent sudo_type (process (sigchld))) + (allow mta_user_agent sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow sudo_type user_mail_t (process (signal))) + (optional confinedom_sudo_optional_7 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require exim_t) + (typeattributeset cil_gen_require exim_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole exim_t) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type exim_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type exim_t (process (transition))) + (typetransition sudo_type exim_exec_t process exim_t) + (allow exim_t sudo_type (fd (use))) + (allow exim_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow exim_t sudo_type (process (sigchld))) + ) + (optional confinedom_sudo_optional_8 + (typeattributeset cil_gen_require mailman_mail_t) + (typeattributeset cil_gen_require mailman_mail_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole mailman_mail_t) + (allow mta_user_agent mailman_mail_exec_t (file (ioctl read getattr map execute open))) + (allow mta_user_agent mailman_mail_t (process (transition))) + (typetransition mta_user_agent mailman_mail_exec_t process mailman_mail_t) + (allow mailman_mail_t mta_user_agent (fd (use))) + (allow mailman_mail_t mta_user_agent (fifo_file (ioctl read write getattr lock append))) + (allow mailman_mail_t mta_user_agent (process (sigchld))) + ) + ) + (optional confinedom_sudo_optional_9 + (roleattributeset cil_gen_require rpm_script_roles) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require rpm_t) + (typeattributeset cil_gen_require rpm_script_t) + (typeattributeset cil_gen_require rpm_exec_t) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset cil_gen_require debuginfo_exec_t) + (typeattributeset cil_gen_require can_system_change) + (roleattributeset cil_gen_require rpm_script_roles) + (roleattributeset rpm_script_roles (urole )) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset rpm_transition_domain (sudo_type )) + (typeattributeset cil_gen_require can_system_change) + (typeattributeset can_system_change (sudo_type )) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type rpm_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type rpm_t (process (transition))) + (typetransition sudo_type rpm_exec_t process rpm_t) + (allow rpm_t sudo_type (fd (use))) + (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t sudo_type (process (sigchld))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type debuginfo_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type rpm_t (process (transition))) + (typetransition sudo_type debuginfo_exec_t process rpm_t) + (allow rpm_t sudo_type (fd (use))) + (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t sudo_type (process (sigchld))) + (allow sudo_type debuginfo_exec_t (dir (getattr open search))) + (allow sudo_type debuginfo_exec_t (lnk_file (read getattr))) + (allow sudo_type rpm_script_t (process (transition))) + (allow sudo_type rpm_script_t (fd (use))) + (allow rpm_script_t sudo_type (fd (use))) + (allow rpm_script_t sudo_type (fifo_file (ioctl read write getattr lock append open))) + (allow rpm_script_t sudo_type (process (sigchld))) + ) + (optional confinedom_sudo_optional_10 + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_host_rcache_t) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require file_context_t) + (typeattributeset cil_gen_require krb5_conf_t) + (typeattributeset cil_gen_require krb5_home_t) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset can_change_object_identity (sudo_type )) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type krb5_conf_t (file (ioctl read getattr lock open))) + (allow sudo_type krb5_home_t (file (ioctl read getattr lock open))) + (booleanif (kerberos_enabled) + (true + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type krb5_host_rcache_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type krb5_host_rcache_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type file_context_t (file (map))) + (allow sudo_type file_context_t (lnk_file (read getattr))) + (allow sudo_type file_context_t (dir (getattr open search))) + (allow sudo_type file_context_t (file (ioctl read getattr lock open))) + (allow sudo_type file_context_t (dir (getattr open search))) + (allow sudo_type file_context_t (dir (ioctl read getattr lock open search))) + (allow sudo_type file_context_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type default_context_t (dir (getattr open search))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type security_t (security (check_context))) + (allow sudo_type security_t (file (ioctl read write getattr lock append map open))) + (allow sudo_type security_t (dir (ioctl read getattr lock open search))) + (allow sudo_type security_t (lnk_file (read getattr))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type sysfs_t (filesystem (getattr))) + (allow sudo_type self (process (setfscreate))) + ) + ) + ) + (optional confinedom_sudo_optional_11 + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (allow sudo_type systemd_systemctl_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type systemd_systemctl_exec_t process utype) + (allow utype systemd_systemctl_exec_t (file (entrypoint))) + ) + (optional confinedom_sudo_optional_12 + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (allow sudo_type user_tmp_t (sock_file (write getattr append open))) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (optional confinedom_sudo_optional_13 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require passwd_t) + (typeattributeset cil_gen_require passwd_exec_t) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type passwd_t (process (transition))) + (typetransition sudo_type passwd_exec_t process passwd_t) + (allow passwd_t sudo_type (fd (use))) + (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow passwd_t sudo_type (process (sigchld))) + ) + ) + ) +) + +(macro confinedom_user_login_macro ((type utype) (role urole) (type gkeyringd_type) (type dbusd_type) (boolean exec_content_bool)) + (optional confinedom_user_login_optional_2 + (roletype object_r utype) + (typeattributeset cil_gen_require userdomain) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset cil_gen_require user_devpts_t) + (typeattributeset cil_gen_require user_tty_device_t) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require user_tmp_type) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require user_home_content_type) + (typeattributeset cil_gen_require polymember) + (typeattributeset cil_gen_require nfs_t) + (typeattributeset cil_gen_require cifs_t) + (typeattributeset cil_gen_require bsdpty_device_t) + (typeattributeset cil_gen_require devpts_t) + (typeattributeset cil_gen_require ptmx_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require ttynode) + (typeattributeset cil_gen_require ptynode) + (typeattributeset cil_gen_require console_device_t) + (typeattributeset cil_gen_require tty_device_t) + (typeattributeset cil_gen_require server_ptynode) + (typeattributeset cil_gen_require device_node) + (typeattributeset cil_gen_require virtio_device_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require base_ro_file_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require passwd_file_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require boot_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require filesystem_type) + (typeattributeset cil_gen_require fs_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require init_exec_t) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (typeattributeset cil_gen_require kernel_t) + (typeattributeset cil_gen_require sysctl_type) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require proc_net_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require locale_t) + (typeattributeset cil_gen_require mount_var_run_t) + (typeattributeset cil_gen_require sound_device_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require file_context_t) + (typeattributeset cil_gen_require fixed_disk_device_t) + (typeattributeset cil_gen_require systemd_hostnamed_t) + (typeattributeset cil_gen_require systemd_tmpfiles_exec_t) + (typeattributeset cil_gen_require udev_var_run_t) + (roleattributeset cil_gen_require urole) + (roletype urole utype) + (roletype urole user_tmp_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (utype )) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset login_confinedom (utype )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (utype )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (utype )) + (typeattributeset cil_gen_require device_node) + (typeattributeset device_node (user_devpts_t )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (utype shell_exec_t )) + (typeattributeset cil_gen_require ptynode) + (typeattributeset ptynode (user_devpts_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (utype shell_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (shell_exec_t )) + (typeattributeset cil_gen_require user_home_content_type) + (typeattributeset user_home_content_type (utype )) + (typeattributeset cil_gen_require polymember) + (typeattributeset polymember (utype )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (utype )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (utype )) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset userdom_filetrans_type (utype )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (utype )) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset user_home_type (utype )) + (typeattributeset cil_gen_require userdomain) + (typeattributeset userdomain (utype )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (shell_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (utype shell_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (utype )) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset process_user_target (utype )) + (allow utype shell_exec_t (file (entrypoint))) + (allow utype shell_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (typemember utype tmp_t dir user_tmp_t) + (allow utype user_tmp_type (dir (mounton))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype tmp_t fifo_file user_tmp_t) + (typetransition utype tmp_t sock_file user_tmp_t) + (typetransition utype tmp_t lnk_file user_tmp_t) + (typetransition utype tmp_t dir user_tmp_t) + (typetransition utype tmp_t file user_tmp_t) + (allow user_tmp_t tmpfs_t (filesystem (associate))) + (allow utype tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype tmpfs_t fifo_file user_tmp_t) + (typetransition utype tmpfs_t sock_file user_tmp_t) + (typetransition utype tmpfs_t lnk_file user_tmp_t) + (typetransition utype tmpfs_t dir user_tmp_t) + (typetransition utype tmpfs_t file user_tmp_t) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (dir (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (lnk_file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (sock_file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (fifo_file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (file (map))) + (allow utype home_root_t (dir (ioctl read getattr lock open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype user_home_dir_t fifo_file user_home_t) + (typetransition utype user_home_dir_t sock_file user_home_t) + (typetransition utype user_home_dir_t lnk_file user_home_t) + (typetransition utype user_home_dir_t dir user_home_t) + (typetransition utype user_home_dir_t file user_home_t) + (allow login_confinedom self (capability (mknod))) + (allow login_confinedom user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow login_confinedom user_tmp_t (chr_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow login_confinedom tmpfs_t (dir (getattr open search))) + (allow login_confinedom tmp_t (dir (getattr open search))) + (allow login_confinedom tmp_t (lnk_file (read getattr))) + (allow login_confinedom tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype user_home_t (filesystem (associate))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open))) + (allow utype devpts_t (dir (ioctl read getattr lock open search))) + (allow utype devpts_t (filesystem (getattr))) + (dontaudit utype bsdpty_device_t (chr_file (read write getattr))) + (typetransition utype devpts_t chr_file user_devpts_t) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype devpts_t (dir (ioctl read getattr lock open search))) + (allow utype devpts_t (chr_file (ioctl read write getattr lock append open))) + (allow utype ttynode (chr_file (ioctl read write getattr lock append open))) + (allow utype ptynode (chr_file (ioctl read write getattr lock append open))) + (allow utype console_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype tty_device_t (chr_file (ioctl read write getattr lock append open))) + (allow user_devpts_t devpts_t (filesystem (associate))) + (allow utype user_devpts_t (chr_file (setattr))) + (typechange utype server_ptynode chr_file user_devpts_t) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype virtio_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype utype (capability (chown dac_read_search setgid setuid audit_write))) + (allow utype utype (dbus (acquire_svc))) + (allow utype utype (process (setsched setcap setfscreate setsockcreate))) + (allow utype utype (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write nlmsg_relay))) + (allow utype utype (netlink_kobject_uevent_socket (create getattr bind getopt setopt))) + (allow utype utype (unix_dgram_socket (ioctl create bind connect getopt setopt sendto))) + (allow utype utype (unix_stream_socket (connectto))) + (allow utype utype (context (contains))) + (dontaudit utype exec_type (file (execute execute_no_trans))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (ioctl read getattr lock open search))) + (allow utype bin_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (ioctl read getattr lock open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype shell_exec_t (file (map))) + (allow utype application_exec_type (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype chkpwd_t (process (transition))) + (typetransition utype chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t utype (fd (use))) + (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t utype (process (sigchld))) + (dontaudit utype shadow_t (file (read getattr))) + (allow utype updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype updpwd_t (process (transition))) + (typetransition utype updpwd_exec_t process updpwd_t) + (allow updpwd_t utype (fd (use))) + (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t utype (process (sigchld))) + (dontaudit utype shadow_t (file (ioctl read getattr lock open))) + (allow utype passwd_file_t (file (ioctl read getattr lock open))) + (allow utype init_t (dbus (send_msg))) + (allow init_t utype (dbus (send_msg))) + (dontaudit utype boot_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (dontaudit utype boot_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype cgroup_t (filesystem (getattr))) + (allow utype filesystem_type (dir (getattr))) + (allow utype tmpfs_t (filesystem (getattr))) + (allow utype fs_t (filesystem (getattr))) + (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cgroup_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cgroup_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cgroup_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmpfs_t (file (ioctl read getattr lock open))) + (allow utype filesystem_type (dir (getattr open search))) + (allow utype init_exec_t (file (entrypoint))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype init_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_t (system (status))) + (allow utype init_t (service (status))) + (allow utype kernel_t (unix_dgram_socket (sendto))) + (allow utype sysctl_type (dir (getattr open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype sysctl_type (file (ioctl read getattr lock open))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype sysctl_type (dir (ioctl read getattr lock open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype proc_net_t (file (ioctl read getattr lock open))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype proc_net_t (lnk_file (read getattr))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (ioctl read getattr lock open search))) + (allow utype kernel_t (system (module_request))) + (allow utype kernel_t (unix_stream_socket (getattr connectto))) + (allow utype locale_t (dir (getattr open search))) + (allow utype locale_t (lnk_file (getattr watch))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (file (ioctl read getattr lock open))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (ioctl read getattr lock open search watch watch_reads))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (getattr watch))) + (allow utype device_t (dir (getattr open search))) + (allow utype sound_device_t (chr_file (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (file (ioctl read getattr lock open))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (lnk_file (read getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (ioctl read getattr lock open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype domain (dir (ioctl read getattr lock open search))) + (allow utype domain (dir (getattr open search))) + (allow utype domain (file (ioctl read getattr lock open))) + (allow utype domain (dir (getattr open search))) + (allow utype domain (lnk_file (read getattr))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype security_t (security (compute_av))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype security_t (security (compute_create))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (filesystem (getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read getattr map open))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (ioctl read getattr lock open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype selinux_config_t (file (ioctl read getattr lock open))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype selinux_config_t (lnk_file (read getattr))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype default_context_t (dir (getattr open search))) + (allow utype file_context_t (dir (getattr open search))) + (allow utype file_context_t (dir (ioctl read getattr lock open search))) + (allow utype file_context_t (dir (getattr open search))) + (allow utype file_context_t (file (ioctl read getattr lock open))) + (allow utype file_context_t (dir (getattr open search))) + (allow utype file_context_t (lnk_file (read getattr))) + (allow utype file_context_t (file (map))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype fixed_disk_device_t (blk_file (getattr))) + (allow utype systemd_hostnamed_t (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open))) + (allow systemd_hostnamed_t utype (lnk_file (read getattr))) + (allow systemd_hostnamed_t utype (process (getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (allow utype systemd_tmpfiles_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype systemd_passwd_var_run_t (dir (getattr watch))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (file (ioctl read getattr lock open))) + (allow utype systemd_unit_file_type (lnk_file (read getattr))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype udev_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype udev_var_run_t (dir (getattr open search))) + (allow utype udev_var_run_t (file (ioctl read getattr lock open))) + (allow utype udev_var_run_t (dir (getattr open search))) + (allow utype udev_var_run_t (lnk_file (read getattr))) + (roleallow system_r urole) + (booleanif (deny_bluetooth) + (false + (allow utype self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + ) + ) + (booleanif (and (exec_content_bool) (use_samba_home_dirs)) + (true + (allow utype cifs_t (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype cifs_t (dir (getattr open search))) + (allow utype cifs_t (dir (ioctl read getattr lock open search))) + ) + ) + (booleanif (and (exec_content_bool) (use_nfs_home_dirs)) + (true + (allow utype nfs_t (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype nfs_t (dir (getattr open search))) + (allow utype nfs_t (dir (ioctl read getattr lock open search))) + ) + ) + (booleanif (exec_content_bool) + (true + (allow utype user_home_type (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype user_tmp_t (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype user_tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (file (entrypoint))) + ) + ) + (optional confinedom_user_login_optional_3 + (typeattributeset cil_gen_require sssd_public_t) + (typeattributeset cil_gen_require sssd_var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require sssd_t) + (typeattributeset cil_gen_require var_run_t) + (allow utype sssd_var_lib_t (dir (getattr open search))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype sssd_public_t (dir (getattr open search))) + (allow utype sssd_public_t (dir (ioctl read getattr lock open search))) + (allow utype sssd_public_t (dir (getattr open search))) + (allow utype sssd_public_t (file (ioctl read getattr lock open))) + (allow utype sssd_public_t (file (map))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype sssd_var_lib_t (dir (getattr open search))) + (allow utype sssd_var_lib_t (sock_file (write getattr append open))) + (allow utype sssd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_user_login_optional_4 + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (optional confinedom_user_login_optional_5 + (typeattributeset cil_gen_require bluetooth_t) + (allow utype bluetooth_t (dbus (send_msg))) + (allow bluetooth_t utype (dbus (send_msg))) + ) + (optional confinedom_user_login_optional_6 + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require base_ro_file_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require cronjob_t) + (typeattributeset cil_gen_require crontab_t) + (typeattributeset cil_gen_require crontab_exec_t) + (typeattributeset cil_gen_require user_cron_spool_t) + (typeattributeset cil_gen_require crond_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require auth_cache_t) + (typeattributeset cil_gen_require random_device_t) + (typeattributeset cil_gen_require urandom_device_t) + (typeattributeset cil_gen_require faillog_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require cert_t) + (typeattributeset cil_gen_require userdom_home_reader_type) + (roleattributeset cil_gen_require urole) + (roletype urole cronjob_t) + (roletype urole crontab_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (utype )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (utype )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (utype )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (crontab_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (crontab_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (crontab_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (utype )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (utype )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (utype )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (crontab_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (utype )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (crontab_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (crontab_exec_t )) + (typeattributeset cil_gen_require userdom_home_reader_type) + (typeattributeset userdom_home_reader_type (utype )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (utype )) + (allow utype crontab_exec_t (file (ioctl read getattr map execute open))) + (allow utype crontab_t (process (transition))) + (typetransition utype crontab_exec_t process crontab_t) + (allow crontab_t utype (fd (use))) + (allow crontab_t utype (fifo_file (ioctl read write getattr lock append))) + (allow crontab_t utype (process (sigchld))) + (dontaudit crond_t utype (process (noatsecure siginh rlimitinh))) + (allow utype crond_t (process (sigchld))) + (allow utype user_cron_spool_t (file (ioctl read write getattr))) + (allow utype crontab_t (process (sigchld sigkill sigstop signull signal))) + (allow utype crontab_t (dir (ioctl read getattr lock open search))) + (allow utype crontab_t (file (ioctl read getattr lock open))) + (allow utype crontab_t (lnk_file (read getattr))) + (allow utype crontab_t (process (getattr))) + (allow utype crontab_exec_t (file (entrypoint))) + (allow utype crontab_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype auth_cache_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype chkpwd_t (process (transition))) + (typetransition utype chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t utype (fd (use))) + (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t utype (process (sigchld))) + (allow utype chkpwd_exec_t (file (map))) + (dontaudit utype shadow_t (file (ioctl read getattr lock open))) + (allow utype device_t (dir (getattr open search))) + (allow utype random_device_t (chr_file (ioctl read getattr lock open))) + (allow utype device_t (dir (getattr open search))) + (allow utype urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype faillog_t (dir (getattr open search))) + (allow utype faillog_t (file (ioctl read write getattr lock append open))) + (allow utype self (capability (audit_write))) + (allow utype self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) + (allow utype cert_t (dir (ioctl read getattr lock open search))) + (allow utype cert_t (dir (getattr open search))) + (allow utype cert_t (file (ioctl read getattr lock open))) + (allow utype cert_t (dir (getattr open search))) + (allow utype cert_t (lnk_file (read getattr))) + (allow utype updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype updpwd_t (process (transition))) + (typetransition utype updpwd_exec_t process updpwd_t) + (allow updpwd_t utype (fd (use))) + (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t utype (process (sigchld))) + (dontaudit utype shadow_t (file (ioctl read getattr lock open))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (lnk_file (read getattr))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (dir (ioctl read getattr lock open search))) + (allow crontab_t bin_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow crontab_t base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (dir (ioctl read getattr lock open search))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (lnk_file (read getattr))) + (allow crontab_t shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow crontab_t shell_exec_t (file (map))) + (booleanif (cron_userdomain_transition) + (true + (allow utype cronjob_t (process (getattr))) + (allow utype cronjob_t (lnk_file (read getattr))) + (allow utype cronjob_t (file (ioctl read getattr lock open))) + (allow utype cronjob_t (dir (ioctl read getattr lock open search))) + (allow utype cronjob_t (process (sigchld sigkill sigstop signull signal))) + (allow utype crond_t (fifo_file (ioctl read write getattr lock append open))) + (allow utype user_cron_spool_t (file (entrypoint))) + (allow crond_t utype (key (view read write search link setattr create))) + (allow crond_t utype (fd (use))) + (allow crond_t utype (process (transition))) + ) + (false + (dontaudit utype cronjob_t (process (sigchld sigkill sigstop signull signal))) + (dontaudit utype crond_t (fifo_file (ioctl read write getattr lock append open))) + (dontaudit utype user_cron_spool_t (file (entrypoint))) + (dontaudit crond_t utype (key (view read write search link setattr create))) + (dontaudit crond_t utype (fd (use))) + (dontaudit crond_t utype (process (transition))) + ) + ) + (booleanif (deny_ptrace) + (false + (allow utype crontab_t (process (ptrace))) + ) + ) + (optional confinedom_user_login_optional_7 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_keytab_t) + (allow utype etc_t (dir (getattr open search))) + (allow utype krb5_keytab_t (dir (ioctl read getattr lock open search))) + (allow utype krb5_keytab_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_user_login_optional_8 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pcscd_var_run_t) + (typeattributeset cil_gen_require pcscd_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (file (ioctl read getattr lock open))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (sock_file (write getattr append open))) + (allow utype pcscd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_user_login_optional_9 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require samba_var_t) + (typeattributeset cil_gen_require winbind_t) + (typeattributeset cil_gen_require winbind_var_run_t) + (typeattributeset cil_gen_require smbd_var_run_t) + (typeattributeset cil_gen_require samba_etc_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype smbd_var_run_t (dir (getattr open search))) + (allow utype samba_var_t (dir (getattr open search))) + (allow utype winbind_var_run_t (dir (getattr open search))) + (allow utype winbind_var_run_t (sock_file (write getattr append open))) + (allow utype winbind_t (unix_stream_socket (connectto))) + (allow utype etc_t (dir (getattr open search))) + (allow utype samba_etc_t (dir (getattr open search))) + (allow utype samba_etc_t (dir (ioctl read getattr lock open search))) + (allow utype samba_etc_t (dir (getattr open search))) + (allow utype samba_etc_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_user_login_optional_10 + (typeattributeset cil_gen_require system_dbusd_t) + (allow cronjob_t utype (dbus (send_msg))) + ) + ) + (optional confinedom_user_login_optional_11 + ;(type dbusd_type) + (roletype object_r dbusd_type) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require system_dbusd_t) + (typeattributeset cil_gen_require session_dbusd_tmp_t) + (typeattributeset cil_gen_require dbusd_unconfined) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset cil_gen_require dbusd_exec_t) + (typeattributeset cil_gen_require dbusd_etc_t) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require usr_t) + (roleattributeset cil_gen_require urole) + (roletype urole dbusd_type) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (dbusd_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (dbusd_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (dbusd_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (dbusd_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (dbusd_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (dbusd_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (dbusd_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (dbusd_type )) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset session_bus_type (dbusd_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (dbusd_type )) + (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search))) + (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open))) + (allow utype system_dbusd_t (dbus (send_msg))) + (allow dbusd_type dbusd_exec_t (file (entrypoint))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type security_t (lnk_file (read getattr))) + (allow dbusd_type sysfs_t (filesystem (getattr))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type security_t (filesystem (getattr))) + (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt))) + (allow dbusd_type utype (unix_dgram_socket (sendto))) + (allow utype dbusd_type (dbus (acquire_svc send_msg))) + (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg))) + (allow utype system_dbusd_t (dbus (acquire_svc send_msg))) + (allow utype dbusd_type (process (noatsecure siginh rlimitinh))) + (allow dbusd_type utype (dbus (send_msg))) + (allow utype dbusd_type (dbus (send_msg))) + (allow dbusd_type utype (system (start reload))) + (allow dbusd_type session_dbusd_tmp_t (service (start stop))) + (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype dbusd_exec_t (file (ioctl read getattr map execute open))) + (allow utype dbusd_type (process (transition))) + (typetransition utype dbusd_exec_t process dbusd_type) + (allow dbusd_type utype (fd (use))) + (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append))) + (allow dbusd_type utype (process (sigchld))) + (allow utype dbusd_type (dir (ioctl read getattr lock open search))) + (allow utype dbusd_type (file (ioctl read getattr lock open))) + (allow utype dbusd_type (lnk_file (read getattr))) + (allow utype dbusd_type (process (getattr))) + (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type bin_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (allow dbusd_type usr_t (dir (getattr open search))) + (allow dbusd_type usr_t (lnk_file (read getattr))) + (allow dbusd_type usr_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type bin_t process utype) + (typetransition dbusd_type usr_t process utype) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (dir (ioctl read getattr lock open search))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type shell_exec_t process utype) + (allow dbusd_type utype (process (sigkill))) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open))) + (allow dbusd_type file_type (service (start stop status reload enable disable))) + (dontaudit dbusd_type self (capability (net_admin))) + (allow utype session_dbusd_tmp_t (dir (getattr open search))) + (allow utype session_dbusd_tmp_t (sock_file (write getattr append open))) + (booleanif (deny_ptrace) + (false + (allow utype dbusd_type (process (ptrace))) + ) + ) + (optional confinedom_user_login_optional_12 + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require mozilla_exec_t) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (mozilla_exec_t )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (mozilla_exec_t )) + (allow utype mozilla_exec_t (file (entrypoint))) + (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type mozilla_exec_t process utype) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append))) + (allow utype dbusd_type (process (sigchld))) + ) + (optional confinedom_user_login_optional_13 + (typeattributeset cil_gen_require systemd_unit_file_t) + (allow dbusd_type systemd_unit_file_t (service (start))) + ) + ) + (optional confinedom_user_login_optional_14 + ;(type gkeyringd_type) + (roletype object_r gkeyringd_type) + (roleattributeset cil_gen_require gconfd_roles) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require gnomedomain) + (typeattributeset cil_gen_require gkeyringd_domain) + (typeattributeset cil_gen_require gnome_home_type) + (typeattributeset cil_gen_require gkeyringd_exec_t) + (typeattributeset cil_gen_require gkeyringd_tmp_t) + (typeattributeset cil_gen_require gconfd_t) + (typeattributeset cil_gen_require gconfd_exec_t) + (typeattributeset cil_gen_require gconf_tmp_t) + (typeattributeset cil_gen_require cache_home_t) + (roleattributeset cil_gen_require urole) + (roletype urole gkeyringd_type) + (roleattributeset cil_gen_require gconfd_roles) + (roleattributeset gconfd_roles (urole )) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (gkeyringd_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (gkeyringd_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (gkeyringd_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (gkeyringd_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (gkeyringd_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (gkeyringd_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (gkeyringd_type )) + (typeattributeset cil_gen_require gnomedomain) + (typeattributeset gnomedomain (gkeyringd_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require gkeyringd_domain) + (typeattributeset gkeyringd_domain (gkeyringd_type )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (gkeyringd_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (gkeyringd_type )) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset process_user_target (gkeyringd_type )) + (allow gkeyringd_type gkeyringd_exec_t (file (entrypoint))) + (allow gkeyringd_type gkeyringd_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype gconfd_exec_t (file (ioctl read getattr map execute open))) + (allow utype gconfd_t (process (transition))) + (typetransition utype gconfd_exec_t process gconfd_t) + (allow gconfd_t utype (fd (use))) + (allow gconfd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow gconfd_t utype (process (sigchld))) + (allow utype gconfd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype gconfd_t (unix_stream_socket (connectto))) + (allow utype gconfd_t (dir (ioctl read getattr lock open search))) + (allow utype gconfd_t (file (ioctl read getattr lock open))) + (allow utype gconfd_t (lnk_file (read getattr))) + (allow utype gconfd_t (process (getattr))) + (allow gkeyringd_type utype (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow gkeyringd_type self (process (setsched))) + (allow utype gkeyringd_exec_t (file (ioctl read getattr map execute open))) + (allow utype gkeyringd_type (process (transition))) + (typetransition utype gkeyringd_exec_t process gkeyringd_type) + (allow gkeyringd_type utype (fd (use))) + (allow gkeyringd_type utype (fifo_file (ioctl read write getattr lock append))) + (allow gkeyringd_type utype (process (sigchld))) + (allow utype gnome_home_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype gkeyringd_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype gconf_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype gnome_home_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype gkeyringd_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype gconf_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype gkeyringd_tmp_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) + (allow utype gkeyringd_type (dir (ioctl read getattr lock open search))) + (allow utype gkeyringd_type (file (ioctl read getattr lock open))) + (allow utype gkeyringd_type (lnk_file (read getattr))) + (allow utype gkeyringd_type (process (getattr))) + (allow utype gkeyringd_type (process (sigchld sigkill sigstop signull signal))) + (dontaudit utype gkeyringd_exec_t (file (entrypoint))) + (allow gkeyringd_type utype (process (sigkill))) + (allow utype gkeyringd_type (fd (use))) + (allow utype gkeyringd_type (fifo_file (ioctl read write getattr lock append open))) + (allow utype gkeyringd_type (dbus (acquire_svc))) + (allow utype gkeyringd_tmp_t (dir (getattr open search))) + (allow utype gkeyringd_tmp_t (sock_file (write getattr append open))) + (allow utype gkeyringd_type (unix_stream_socket (connectto))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (lnk_file (read getattr))) + (allow gkeyringd_type bin_t (file (ioctl read getattr map execute open))) + (allow gkeyringd_type utype (process (transition))) + (allow gkeyringd_type usr_t (dir (getattr open search))) + (allow gkeyringd_type usr_t (lnk_file (read getattr))) + (allow gkeyringd_type usr_t (file (ioctl read getattr map execute open))) + (allow gkeyringd_type utype (process (transition))) + (typetransition gkeyringd_type bin_t process utype) + (typetransition gkeyringd_type usr_t process utype) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (lnk_file (read getattr))) + (allow gkeyringd_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow gkeyringd_type utype (process (transition))) + (typetransition gkeyringd_type shell_exec_t process utype) + (allow utype gconf_tmp_t (dir (getattr open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (dir (getattr open search))) + (allow utype gkeyringd_tmp_t (dir (getattr open search))) + (allow utype gkeyringd_tmp_t (sock_file (write getattr append open))) + (allow utype gkeyringd_domain (unix_stream_socket (connectto))) + (allow utype cache_home_t (dir (getattr open search))) + (allow utype cache_home_t (sock_file (write getattr append open))) + (allow utype gkeyringd_domain (unix_stream_socket (connectto))) + (allow gkeyringd_type utype (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type utype (file (ioctl read getattr lock open))) + (allow gkeyringd_type utype (lnk_file (read getattr))) + (allow gkeyringd_type utype (process (getattr))) + (allow gkeyringd_type user_tmp_t (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type user_tmp_t (sock_file (read write getattr append))) + (allow gkeyringd_type tmpfs_t (dir (getattr open search))) + (allow gkeyringd_type tmp_t (dir (getattr open search))) + (allow gkeyringd_type tmp_t (lnk_file (read getattr))) + (allow gkeyringd_type tmp_t (dir (getattr open search))) + (allow gkeyringd_type utype (dbus (acquire_svc send_msg))) + (allow utype gkeyringd_type (dbus (send_msg))) + (optional confinedom_user_login_optional_15 + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require system_dbusd_t) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset cil_gen_require dbusd_type) + (typeattributeset cil_gen_require gnome_home_t) + (typeattributeset cil_gen_require data_home_t) + (typeattributeset cil_gen_require gconf_home_t) + (allow dbusd_type gkeyringd_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type gkeyringd_type (process (transition))) + (typetransition dbusd_type gkeyringd_exec_t process gkeyringd_type) + (allow gkeyringd_type dbusd_type (fd (use))) + (allow gkeyringd_type dbusd_type (fifo_file (ioctl read write getattr lock append))) + (allow gkeyringd_type dbusd_type (process (sigchld))) + (allow gkeyringd_type session_bus_type (dbus (send_msg))) + (allow gkeyringd_type self (dbus (send_msg))) + (allow gkeyringd_type session_bus_type (unix_stream_socket (connectto))) + (allow session_bus_type gkeyringd_type (process (sigkill))) + (allow gkeyringd_type session_bus_type (dbus (acquire_svc))) + (allow gkeyringd_type system_dbusd_t (unix_stream_socket (connectto))) + (allow gkeyringd_type system_dbusd_t (dbus (send_msg))) + (allow gkeyringd_type user_home_dir_t (dir (getattr open search))) + (allow gkeyringd_type user_home_dir_t (lnk_file (read getattr))) + (allow gkeyringd_type home_root_t (dir (getattr open search))) + (allow gkeyringd_type home_root_t (lnk_file (read getattr))) + (allow gkeyringd_type gnome_home_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow gkeyringd_type data_home_t (dir (getattr open search))) + (allow gkeyringd_type gconf_home_t (dir (getattr open search))) + (allow gkeyringd_type data_home_t (file (ioctl read getattr lock open))) + (allow gkeyringd_type data_home_t (dir (getattr open search))) + (allow gkeyringd_type gconf_home_t (dir (getattr open search))) + (allow gkeyringd_type data_home_t (lnk_file (read getattr))) + (allow gkeyringd_type data_home_t (dir (getattr open search))) + (allow gkeyringd_type gconf_home_t (dir (getattr open search))) + (allow gkeyringd_type data_home_t (dir (ioctl read getattr lock open search))) + (optional confinedom_user_login_optional_16 + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require telepathy_mission_control_t) + (typeattributeset cil_gen_require telepathy_gabble_t) + (allow gkeyringd_type proc_t (dir (getattr open search))) + (allow gkeyringd_type proc_t (dir (getattr open search))) + (allow gkeyringd_type telepathy_mission_control_t (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type telepathy_mission_control_t (file (ioctl read getattr lock open))) + (allow gkeyringd_type telepathy_mission_control_t (lnk_file (read getattr))) + (allow gkeyringd_type telepathy_mission_control_t (process (getattr))) + (allow telepathy_gabble_t gkeyringd_tmp_t (dir (getattr open search))) + (allow telepathy_gabble_t gkeyringd_tmp_t (sock_file (write getattr append open))) + (allow telepathy_gabble_t gkeyringd_type (unix_stream_socket (connectto))) + ) + (optional confinedom_user_login_optional_17 + (typeattributeset cil_gen_require systemd_logind_t) + (allow gkeyringd_type systemd_logind_t (dbus (send_msg))) + (allow systemd_logind_t gkeyringd_type (dbus (send_msg))) + (allow systemd_logind_t gkeyringd_type (dir (ioctl read getattr lock open search))) + (allow systemd_logind_t gkeyringd_type (file (ioctl read getattr lock open))) + (allow systemd_logind_t gkeyringd_type (lnk_file (read getattr))) + (allow systemd_logind_t gkeyringd_type (process (getattr))) + (allow systemd_logind_t gkeyringd_type (process (signal))) + (allow gkeyringd_type systemd_logind_t (fd (use))) + ) + ) + (optional confinedom_user_login_optional_18 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require ssh_agent_exec_t) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (lnk_file (read getattr))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + ) + ) + (optional confinedom_user_login_optional_19 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require locate_var_lib_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype locate_var_lib_t (dir (getattr open search))) + (allow utype locate_var_lib_t (file (ioctl read getattr lock open))) + (allow utype locate_var_lib_t (dir (ioctl read getattr lock open search))) + ) + (optional confinedom_user_login_optional_20 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require mail_spool_t) + (typeattributeset cil_gen_require var_spool_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_spool_t (dir (getattr open search))) + (allow utype mail_spool_t (dir (ioctl read getattr lock open search))) + (allow utype mail_spool_t (dir (getattr open search))) + (allow utype mail_spool_t (file (getattr))) + (allow utype mail_spool_t (dir (getattr open search))) + (allow utype mail_spool_t (lnk_file (read getattr))) + ) + ) + ) +) + +(macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type)) + (optional confined_ssh_connect_macro_optional + (typeattributeset cil_gen_require sshd_t) + (typeattributeset cil_gen_require ptmx_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require sshd_devpts_t) + (typeattributeset cil_gen_require ssh_server) + (typeattributeset cil_gen_require ssh_t) + (typeattributeset cil_gen_require ssh_exec_t) + (typeattributeset cil_gen_require ssh_tmpfs_t) + (typeattributeset cil_gen_require ssh_home_t) + (typeattributeset cil_gen_require ssh_agent_exec_t) + (typeattributeset cil_gen_require ssh_keysign_t) + (typeattributeset cil_gen_require ssh_agent_tmp_t) + (typeattributeset cil_gen_require cache_home_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require privfd) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require user_tmp_type) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require tty_device_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require ssh_keygen_exec_t) + (roleattributeset cil_gen_require urole) + (roletype object_r ssh_agent_type) + (roletype urole ssh_t) + (roletype urole ssh_agent_type) + (roletype urole user_tmp_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (ssh_agent_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (ssh_agent_type )) + (typeattributeset cil_gen_require privfd) + (typeattributeset privfd (ssh_agent_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (ssh_agent_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (ssh_agent_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (ssh_agent_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (ssh_agent_type )) + (typeattributeset cil_gen_require ssh_agent_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (ssh_agent_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (ssh_agent_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (ssh_agent_type )) + (allow sshd_t utype (process (dyntransition))) + (allow utype sshd_t (process (sigchld))) + (allow sshd_t utype (process (sigkill sigstop signull signal getattr))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open))) + (allow utype sshd_devpts_t (chr_file (ioctl read write getattr lock append))) + (allow ssh_agent_type ssh_agent_exec_t (file (entrypoint))) + (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype ssh_exec_t (file (ioctl read getattr map execute open))) + (allow utype ssh_t (process (transition))) + (typetransition utype ssh_exec_t process ssh_t) + (allow ssh_t utype (fd (use))) + (allow ssh_t utype (fifo_file (ioctl read write getattr lock append))) + (allow ssh_t utype (process (sigchld))) + (allow utype ssh_server (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow utype ssh_t (dir (ioctl read getattr lock open search))) + (allow utype ssh_t (file (ioctl read getattr lock open))) + (allow utype ssh_t (lnk_file (read getattr))) + (allow utype ssh_t (process (getattr))) + (allow utype ssh_t (process (sigchld sigkill sigstop signull signal))) + (allow ssh_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown))) + (allow ssh_t utype (unix_stream_socket (connectto))) + (allow ssh_t utype (key (view read write search link setattr create))) + (allow utype ssh_t (key (view read write search))) + (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype ssh_home_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype ssh_home_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype ssh_home_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typemember ssh_t tmp_t dir user_tmp_t) + (allow ssh_t user_tmp_type (dir (mounton))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow ssh_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition ssh_t tmp_t fifo_file user_tmp_t) + (typetransition ssh_t tmp_t sock_file user_tmp_t) + (typetransition ssh_t tmp_t lnk_file user_tmp_t) + (typetransition ssh_t tmp_t dir user_tmp_t) + (typetransition ssh_t tmp_t file user_tmp_t) + (allow user_tmp_t tmpfs_t (filesystem (associate))) + (allow ssh_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition ssh_t tmpfs_t fifo_file user_tmp_t) + (typetransition ssh_t tmpfs_t sock_file user_tmp_t) + (typetransition ssh_t tmpfs_t lnk_file user_tmp_t) + (typetransition ssh_t tmpfs_t dir user_tmp_t) + (typetransition ssh_t tmpfs_t file user_tmp_t) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (dir (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (lnk_file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (sock_file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (fifo_file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (file (map))) + (allow ssh_agent_type utype (process (signull))) + (allow ssh_agent_type ssh_agent_type (process (signull))) + (allow ssh_agent_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow utype ssh_agent_tmp_t (dir (getattr open search))) + (allow utype ssh_agent_tmp_t (sock_file (write getattr append open))) + (allow utype ssh_agent_type (unix_stream_socket (connectto))) + (allow utype cache_home_t (dir (getattr open search))) + (allow utype cache_home_t (sock_file (write getattr append open))) + (allow utype ssh_agent_type (unix_stream_socket (connectto))) + (allow utype ssh_agent_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow utype ssh_agent_type (process (sigchld sigkill sigstop signull signal))) + (allow utype ssh_agent_type (dir (ioctl read getattr lock open search))) + (allow utype ssh_agent_type (file (ioctl read getattr lock open))) + (allow utype ssh_agent_type (lnk_file (read getattr))) + (allow utype ssh_agent_type (process (getattr))) + (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype ssh_agent_exec_t (file (ioctl read getattr map execute open))) + (allow utype ssh_agent_type (process (transition))) + (typetransition utype ssh_agent_exec_t process ssh_agent_type) + (allow ssh_agent_type utype (fd (use))) + (allow ssh_agent_type utype (fifo_file (ioctl read write getattr lock append))) + (allow ssh_agent_type utype (process (sigchld))) + (allow ssh_agent_type bin_t (dir (getattr open search))) + (allow ssh_agent_type bin_t (dir (ioctl read getattr lock open search))) + (allow ssh_agent_type bin_t (dir (getattr open search))) + (allow ssh_agent_type bin_t (lnk_file (read getattr))) + (allow ssh_agent_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (typetransition ssh_agent_type shell_exec_t process utype) + (allow ssh_agent_type bin_t (dir (getattr open search))) + (allow ssh_agent_type bin_t (lnk_file (read getattr))) + (allow ssh_agent_type bin_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (allow ssh_agent_type usr_t (dir (getattr open search))) + (allow ssh_agent_type usr_t (lnk_file (read getattr))) + (allow ssh_agent_type usr_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (typetransition ssh_agent_type bin_t process utype) + (typetransition ssh_agent_type usr_t process utype) + (allow ssh_agent_type device_t (dir (getattr open search))) + (allow ssh_agent_type device_t (dir (ioctl read getattr lock open search))) + (allow ssh_agent_type device_t (dir (getattr open search))) + (allow ssh_agent_type device_t (lnk_file (read getattr))) + (allow ssh_agent_type tty_device_t (chr_file (ioctl read write getattr lock append open))) + (allow ssh_agent_type user_home_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (typetransition ssh_agent_type user_home_t process utype) + (allow ssh_agent_type user_home_dir_t (dir (getattr open search))) + (allow ssh_agent_type home_root_t (dir (getattr open search))) + (allow ssh_agent_type home_root_t (lnk_file (read getattr))) + (allow utype ssh_keygen_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + ) +) + +(macro confined_use_basic_commands_macro ((type utype) (role urole)) + (optional confined_use_basic_commands_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require init_var_lib_t) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require syslogd_var_run_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (allow utype utype (process (setpgid))) + (allow utype utype (system (status))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype init_var_lib_t (dir (getattr open search))) + (allow utype init_var_lib_t (file (ioctl read getattr map open))) + (allow utype init_t (process (signal))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (ioctl read getattr lock open search))) + (allow utype var_log_t (file (map))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype var_log_t (file (ioctl read getattr lock open))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype var_log_t (lnk_file (read getattr))) + (allow utype syslogd_var_run_t (dir (getattr open search))) + (allow utype syslogd_var_run_t (file (ioctl read getattr lock open map))) + (allow utype syslogd_var_run_t (dir (getattr open search))) + (allow utype syslogd_var_run_t (dir (ioctl read getattr lock open search))) + ;corecmd_bin_entry_type(utype) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (file (entrypoint))) + (allow utype bin_t (file (ioctl read getattr lock map execute open))) + (allow utype usr_t (file (entrypoint))) + (allow utype usr_t (file (ioctl read getattr lock map execute open))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (allow utype systemd_unit_file_type (service (status))) + (optional confined_use_basic_commands_optional_3 + (typeattributeset cil_gen_require adjtime_t) + (typeattributeset cil_gen_require etc_t) + (allow utype etc_t (dir (ioctl read getattr lock open search))) + (allow utype adjtime_t (file (ioctl read getattr lock open))) + ) + (optional confined_use_basic_commands_optional_4 + (typeattributeset cil_gen_require mandb_cache_t) + (allow utype mandb_cache_t (file (map))) + ) + (optional confined_use_basic_commands_optional_5 + (roleattributeset cil_gen_require passwd_roles) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require passwd_t) + (typeattributeset cil_gen_require passwd_exec_t) + (roleattributeset cil_gen_require passwd_roles) + (roleattributeset passwd_roles (urole )) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype passwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype passwd_t (process (transition))) + (typetransition utype passwd_exec_t process passwd_t) + (allow passwd_t utype (fd (use))) + (allow passwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow passwd_t utype (process (sigchld))) + ) + ) +) + +;(call confinedom_admin_commands_macro (u_t u_r u_sudo_t)) +;(call confinedom_graphical_login_macro (u_t u_r u_dbus_t)) +;(call confinedom_mozilla_usage_macro (u_t u_r)) +;(call confinedom_networking_macro (u_t u_r)) +;(call confinedom_security_advanced_macro (u_t u_r u_sudo_t u_userhelper_t)) +;(call confinedom_security_basic_macro (u_t u_r)) +;(call confinedom_sudo_macro (u_t u_r u_sudo_t u_sudo_tmp_t)) +;(call confinedom_user_login_macro (u_t u_r u_gkeyringd_t u_dbus_t u_exec_content)) +;(call confined_ssh_connect_macro (u_t u_r u_ssh_agent_t)) +;(call confined_use_basic_commands_macro (u_t u_r)) From d444e67ead27266d57184ab8bc032c5528f7e26c Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 20 Dec 2023 14:33:27 +0100 Subject: [PATCH 2/3] Add tests covering confined user policy generation Signed-off-by: Vit Mojzis --- tests/test_confined_abcdgilmns.cil | 24 ++++++++++++++++++++ tests/test_confined_cla.cil | 15 +++++++++++++ tests/test_confined_lb.cil | 12 ++++++++++ tests/test_confined_lsid.cil | 17 +++++++++++++++ tests/test_main.py | 35 +++++++++++++++++++++++++----- 5 files changed, 98 insertions(+), 5 deletions(-) create mode 100644 tests/test_confined_abcdgilmns.cil create mode 100644 tests/test_confined_cla.cil create mode 100644 tests/test_confined_lb.cil create mode 100644 tests/test_confined_lsid.cil diff --git a/tests/test_confined_abcdgilmns.cil b/tests/test_confined_abcdgilmns.cil new file mode 100644 index 0000000..5fd619f --- /dev/null +++ b/tests/test_confined_abcdgilmns.cil @@ -0,0 +1,24 @@ +(boolean my_container_exec_content true) +(role my_container_r) +(type my_container_dbus_t) +(type my_container_gkeyringd_t) +(type my_container_ssh_agent_t) +(type my_container_sudo_t) +(type my_container_sudo_tmp_t) +(type my_container_t) +(type my_container_userhelper_t) +(user my_container_u) +(userrole my_container_u my_container_r) +(userlevel my_container_u (s0)) +(userrange my_container_u ((s0 ) (s0 (c0)))) + +(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t)) +(call confinedom_graphical_login_macro (my_container_t my_container_r my_container_dbus_t)) +(call confinedom_mozilla_usage_macro (my_container_t my_container_r)) +(call confinedom_networking_macro (my_container_t my_container_r)) +(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t)) +(call confinedom_security_basic_macro (my_container_t my_container_r)) +(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t)) +(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) +(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t)) +(call confined_use_basic_commands_macro (my_container_t my_container_r)) \ No newline at end of file diff --git a/tests/test_confined_cla.cil b/tests/test_confined_cla.cil new file mode 100644 index 0000000..a633aaa --- /dev/null +++ b/tests/test_confined_cla.cil @@ -0,0 +1,15 @@ +(boolean my_container_exec_content true) +(role my_container_r) +(type my_container_dbus_t) +(type my_container_gkeyringd_t) +(type my_container_ssh_agent_t) +(type my_container_sudo_t) +(type my_container_t) +(user my_container_u) +(userrole my_container_u my_container_r) +(userlevel my_container_u (s0)) +(userrange my_container_u ((s0 ) (s0 (c0)))) + +(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t)) +(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) +(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t)) \ No newline at end of file diff --git a/tests/test_confined_lb.cil b/tests/test_confined_lb.cil new file mode 100644 index 0000000..3e3c997 --- /dev/null +++ b/tests/test_confined_lb.cil @@ -0,0 +1,12 @@ +(boolean my_container_exec_content true) +(role my_container_r) +(type my_container_dbus_t) +(type my_container_gkeyringd_t) +(type my_container_t) +(user my_container_u) +(userrole my_container_u my_container_r) +(userlevel my_container_u (s0)) +(userrange my_container_u ((s0 ) (s0 (c0)))) + +(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) +(call confined_use_basic_commands_macro (my_container_t my_container_r)) \ No newline at end of file diff --git a/tests/test_confined_lsid.cil b/tests/test_confined_lsid.cil new file mode 100644 index 0000000..8719420 --- /dev/null +++ b/tests/test_confined_lsid.cil @@ -0,0 +1,17 @@ +(boolean my_container_exec_content true) +(role my_container_r) +(type my_container_dbus_t) +(type my_container_gkeyringd_t) +(type my_container_sudo_t) +(type my_container_sudo_tmp_t) +(type my_container_t) +(type my_container_userhelper_t) +(user my_container_u) +(userrole my_container_u my_container_r) +(userlevel my_container_u (s0)) +(userrange my_container_u ((s0 ) (s0 (c0)))) + +(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t)) +(call confinedom_security_basic_macro (my_container_t my_container_r)) +(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t)) +(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) \ No newline at end of file diff --git a/tests/test_main.py b/tests/test_main.py index fb6a9ab..0c73861 100644 --- a/tests/test_main.py +++ b/tests/test_main.py @@ -369,7 +369,26 @@ def test_device_access_podman(self): self.assert_templates(output, ["base_container"]) self.assert_policy(test_file("test_devices.podman.cil")) - def run_udica(self, args): + # Confined user tests + def test_confined_user(self): + """udica confined_user --level s0 --range s0:c0 my_container""" + for arg in ["cla", "lb", "lsid", "abcdgilmns"]: + output = self.run_udica( + [ + "udica", + "confined_user", + "-{}".format(arg), + "--level", + "s0", + "--range", + "s0:c0", + "my_container", + ], + True, + ) + self.assert_policy(test_file("test_confined_{}.cil".format(arg))) + + def run_udica(self, args, confined=False): with patch("sys.argv", args): with patch("sys.stderr.write") as mock_err, patch( "sys.stdout.write" @@ -383,10 +402,16 @@ def store_output(output): udica.__main__.main() mock_err.assert_not_called() - self.assertRegex(mock_out.output, "Policy my_container created") - self.assertRegex( - mock_out.output, "--security-opt label=type:my_container.process" - ) + if confined: + self.assertRegex(mock_out.output, "semodule -i my_container.cil") + self.assertRegex( + mock_out.output, "semanage login -a -s my_container_u my_container" + ) + else: + self.assertRegex(mock_out.output, "Policy my_container created") + self.assertRegex( + mock_out.output, "--security-opt label=type:my_container.process" + ) return mock_out.output From f411c146986fabe7375724528b2d4ba8cf78b904 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Mon, 12 Feb 2024 19:38:14 +0100 Subject: [PATCH 3/3] confined: make "-l" non optional The confinedom_user_login_macro is needed for all custom users. Also, allow the new user type to be accessed via remote login. Signed-off-by: Vit Mojzis --- udica/__main__.py | 2 +- udica/macros/confined_user_macros.cil | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/udica/__main__.py b/udica/__main__.py index 1ba8515..801499c 100644 --- a/udica/__main__.py +++ b/udica/__main__.py @@ -92,7 +92,7 @@ def get_args(): "-l", "--user_login", action="store_true", - default=False, + default=True, dest="user_login", help="Basic rules common to all users (tty, pty, ...)", ) diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil index ddb5689..06c4c56 100644 --- a/udica/macros/confined_user_macros.cil +++ b/udica/macros/confined_user_macros.cil @@ -2411,7 +2411,7 @@ (typetransition utype sudo_exec_t process sudo_type) (allow sudo_type utype (fd (use))) (allow sudo_type utype (fifo_file (ioctl read write getattr lock append))) - (allow sudo_type utype (process (sigchld))) + (allow sudo_type utype (process (getpgid sigchld))) (allow sudo_type bin_t (dir (getattr open search))) (allow sudo_type bin_t (dir (ioctl read getattr lock open search))) (allow sudo_type bin_t (dir (getattr open search))) @@ -4006,6 +4006,12 @@ ) ) ) + ; Telnet login + (optional confinedom_user_login_optional_3 + (typeattributeset cil_gen_require remote_login_t) + (allow remote_login_t utype (process (signal transition))) + (allow utype self (bpf (prog_load))) + ) ) (macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type))