policy_module(mcs,1.0.3) ######################################## # # Declarations # attribute mcskillall; attribute mcsptraceall; attribute mcssetcats; ######################################## # # THIS IS A HACK # # Only the base module can have range_transitions, so we # temporarily have to break encapsulation to work around this. # type auditd_exec_t; type crond_exec_t; type cupsd_exec_t; type getty_t; type init_t; type init_exec_t; type initrc_t; type initrc_exec_t; type login_exec_t; type sshd_exec_t; type udev_exec_t; type unconfined_t; type xdm_exec_t; ifdef(`enable_mcs',` # The eventual plan is to have a range_transition to s0 for the daemon by # default and have the daemons which need to run with all categories be # exceptions. But while range_transitions have to be in the base module # this is not possible. range_transition getty_t login_exec_t s0 - s0:c0.c255; range_transition init_t xdm_exec_t s0 - s0:c0.c255; range_transition initrc_t crond_exec_t s0 - s0:c0.c255; range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; range_transition initrc_t udev_exec_t s0 - s0:c0.c255; range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; range_transition kernel_t udev_exec_t s0 - s0:c0.c255; # these might be targeted_policy only range_transition unconfined_t initrc_exec_t s0; ')