From a3c99dc617824ef29d5b6905d96c007459514d78 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Thu, 21 Dec 2023 00:08:06 +0100 Subject: [PATCH] udica-0.2.8-2 - Add option to generate custom policy for a confined user --- ...nerate-custom-policy-for-a-confined-.patch | 4923 +++++++++++++++++ ...ring-confined-user-policy-generation.patch | 170 + udica.spec | 12 +- 3 files changed, 5103 insertions(+), 2 deletions(-) create mode 100644 0001-Add-option-to-generate-custom-policy-for-a-confined-.patch create mode 100644 0002-Add-tests-covering-confined-user-policy-generation.patch diff --git a/0001-Add-option-to-generate-custom-policy-for-a-confined-.patch b/0001-Add-option-to-generate-custom-policy-for-a-confined-.patch new file mode 100644 index 0000000..d18dbbc --- /dev/null +++ b/0001-Add-option-to-generate-custom-policy-for-a-confined-.patch @@ -0,0 +1,4923 @@ +From 21aa1fb602540d26e3ccad46ab59922da1810dd8 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 29 Nov 2023 10:38:48 +0100 +Subject: [PATCH] Add option to generate custom policy for a confined user +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Udica can now generate cil policy for a confined user using a list of +macros. +The macros are based on policy templates created by Patrik Končitý: +https://github.com/Koncpa/confined-users-policy + +Signed-off-by: Vit Mojzis +--- + setup.py | 1 + + udica/__main__.py | 332 +- + udica/confined_user.py | 134 + + udica/macros/confined_user_macros.cil | 4367 +++++++++++++++++++++++++ + 4 files changed, 4719 insertions(+), 115 deletions(-) + create mode 100644 udica/confined_user.py + create mode 100644 udica/macros/confined_user_macros.cil + +diff --git a/setup.py b/setup.py +index deb6457..d3f20f4 100644 +--- a/setup.py ++++ b/setup.py +@@ -37,6 +37,7 @@ setuptools.setup( + data_files=[ + ("/usr/share/licenses/udica", ["LICENSE"]), + ("/usr/share/udica/ansible", ["udica/ansible/deploy-module.yml"]), ++ ("/usr/share/udica/macros", ["udica/macros/confined_user_macros.cil"]), + ], + # scripts=["bin/udica"], + entry_points={"console_scripts": ["udica=udica.__main__:main"]}, +diff --git a/udica/__main__.py b/udica/__main__.py +index 43d2e43..2bbd401 100644 +--- a/udica/__main__.py ++++ b/udica/__main__.py +@@ -13,8 +13,9 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + +-import subprocess + import argparse ++import subprocess ++import sys + + # import udica + from udica.parse import parse_avc_file +@@ -25,116 +26,214 @@ from udica.policy import create_policy, load_policy, generate_playbook + + + def get_args(): +- parser = argparse.ArgumentParser( +- description="Script generates SELinux policy for running container." +- ) +- parser.add_argument("-V", "--version", action="version", version=version) +- parser.add_argument( +- type=str, help="Name for SELinux policy module", dest="ContainerName" +- ) +- parser.add_argument( +- "-i", +- "--container-id", +- type=str, +- help="Running container ID", +- dest="ContainerID", +- default=None, +- ) +- parser.add_argument( +- "-j", +- "--json", +- help='Load json from this file, use "-j -" for stdin', +- required=False, +- dest="JsonFile", +- default=None, +- ) +- parser.add_argument( +- "--full-network-access", +- help="Allow container full Network access ", +- required=False, +- dest="FullNetworkAccess", +- action="store_true", +- ) +- parser.add_argument( +- "--tty-access", +- help="Allow container to read and write the controlling terminal ", +- required=False, +- dest="TtyAccess", +- action="store_true", +- ) +- parser.add_argument( +- "--X-access", +- help="Allow container to communicate with Xserver ", +- required=False, +- dest="XAccess", +- action="store_true", +- ) +- parser.add_argument( +- "--virt-access", +- help="Allow container to communicate with libvirt ", +- required=False, +- dest="VirtAccess", +- action="store_true", +- ) +- parser.add_argument( +- "-s", +- "--stream-connect", +- help="Allow container to stream connect with given SELinux domain ", +- required=False, +- dest="StreamConnect", +- ) +- parser.add_argument( +- "-l", +- "--load-modules", +- help="Load templates and module created by this tool ", +- required=False, +- dest="LoadModules", +- action="store_true", +- ) +- parser.add_argument( +- "-c", +- "--caps", +- help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', +- required=False, +- dest="Caps", +- default=None, +- ) +- parser.add_argument( +- "--devices", +- type=str, +- help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', +- dest="Devices", +- required=False, +- default=None, +- ) +- parser.add_argument( +- "-d", +- "--ansible", +- help="Generate ansible playbook to deploy SELinux policy for containers ", +- required=False, +- dest="Ansible", +- action="store_true", +- ) +- parser.add_argument( +- "-a", +- "--append-rules", +- type=str, +- help="Append more SELinux allow rules from file", +- dest="FileAVCS", +- required=False, +- default=None, +- ) +- parser.add_argument( +- "-e", +- "--container-engine", +- type=str, +- help="Specify which container engine is used for the inspected container (supports: {})".format( +- ", ".join(ENGINE_ALL) +- ), +- dest="ContainerEngine", +- required=False, +- default="-", +- ) ++ if "confined_user" in sys.argv: ++ # set up confined_user parser (do not show normal "udica" options) ++ parser = argparse.ArgumentParser( ++ description="SELinux confined user policy generator" ++ ) ++ parser.add_argument("confined_user") ++ parser.add_argument( ++ "-a", ++ "--admin_commands", ++ action="store_true", ++ default=False, ++ dest="admin_commands", ++ help="Use administrative commands (vipw, passwd, ...)", ++ ) ++ parser.add_argument( ++ "-g", ++ "--graphical_login", ++ action="store_true", ++ default=False, ++ dest="graphical_login", ++ help="Use graphical login environment", ++ ) ++ parser.add_argument( ++ "-m", ++ "--mozilla_usage", ++ action="store_true", ++ default=False, ++ dest="mozilla_usage", ++ help="Use mozilla firefox", ++ ) ++ parser.add_argument( ++ "-n", ++ "--networking", ++ action="store_true", ++ default=False, ++ dest="networking", ++ help="Manage basic networking (ip, ifconfig, traceroute, tcpdump, ...)", ++ ) ++ parser.add_argument( ++ "-d", ++ "--security_advanced", ++ action="store_true", ++ default=False, ++ dest="security_advanced", ++ help="Manage SELinux settings (semanage, semodule, sepolicy, ...)", ++ ) ++ parser.add_argument( ++ "-i", ++ "--security_basic", ++ action="store_true", ++ default=False, ++ dest="security_basic", ++ help="Use read-only security-related tools (seinfo, getsebool, sesearch, ...)", ++ ) ++ parser.add_argument( ++ "-s", ++ "--sudo", ++ action="store_true", ++ default=False, ++ dest="sudo", ++ help="Run commands as root using sudo", ++ ) ++ parser.add_argument( ++ "-l", ++ "--user_login", ++ action="store_true", ++ default=False, ++ dest="user_login", ++ help="Basic rules common to all users (tty, pty, ...)", ++ ) ++ parser.add_argument( ++ "-c", ++ "--ssh_connect", ++ action="store_true", ++ default=False, ++ dest="ssh_connect", ++ help="Connect over SSH", ++ ) ++ parser.add_argument( ++ "-b", ++ "--basic_commands", ++ action="store_true", ++ default=False, ++ dest="basic_commands", ++ help="Use basic commands (date, ls, ps, man, systemctl -user, journalctl -user, passwd, ...)", ++ ) ++ parser.add_argument("--level", nargs="?", default="s0", dest="level") ++ parser.add_argument( ++ "--range", nargs="?", default="s0-s0:c0.c1023", dest="range" ++ ) ++ parser.add_argument("uname") ++ else: ++ # set up normal udica parser ++ parser = argparse.ArgumentParser( ++ description="Script generates SELinux policy for running container.", ++ prog="udica [confined_user]", ++ formatter_class=argparse.RawDescriptionHelpFormatter, ++ epilog="""Additional options: ++ confined_user Generate policy for a new confined user instead of a container policy""", ++ ) ++ parser.add_argument("-V", "--version", action="version", version=version) ++ parser.add_argument( ++ type=str, help="Name for SELinux policy module", dest="ContainerName" ++ ) ++ parser.add_argument( ++ "-i", ++ "--container-id", ++ type=str, ++ help="Running container ID", ++ dest="ContainerID", ++ default=None, ++ ) ++ parser.add_argument( ++ "-j", ++ "--json", ++ help='Load json from this file, use "-j -" for stdin', ++ required=False, ++ dest="JsonFile", ++ default=None, ++ ) ++ parser.add_argument( ++ "--full-network-access", ++ help="Allow container full Network access ", ++ required=False, ++ dest="FullNetworkAccess", ++ action="store_true", ++ ) ++ parser.add_argument( ++ "--tty-access", ++ help="Allow container to read and write the controlling terminal ", ++ required=False, ++ dest="TtyAccess", ++ action="store_true", ++ ) ++ parser.add_argument( ++ "--X-access", ++ help="Allow container to communicate with Xserver ", ++ required=False, ++ dest="XAccess", ++ action="store_true", ++ ) ++ parser.add_argument( ++ "--virt-access", ++ help="Allow container to communicate with libvirt ", ++ required=False, ++ dest="VirtAccess", ++ action="store_true", ++ ) ++ parser.add_argument( ++ "-s", ++ "--stream-connect", ++ help="Allow container to stream connect with given SELinux domain ", ++ required=False, ++ dest="StreamConnect", ++ ) ++ parser.add_argument( ++ "-l", ++ "--load-modules", ++ help="Load templates and module created by this tool ", ++ required=False, ++ dest="LoadModules", ++ action="store_true", ++ ) ++ parser.add_argument( ++ "-c", ++ "--caps", ++ help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', ++ required=False, ++ dest="Caps", ++ default=None, ++ ) ++ parser.add_argument( ++ "--devices", ++ type=str, ++ help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', ++ dest="Devices", ++ required=False, ++ default=None, ++ ) ++ parser.add_argument( ++ "-d", ++ "--ansible", ++ help="Generate ansible playbook to deploy SELinux policy for containers ", ++ required=False, ++ dest="Ansible", ++ action="store_true", ++ ) ++ parser.add_argument( ++ "-a", ++ "--append-rules", ++ type=str, ++ help="Append more SELinux allow rules from file", ++ dest="FileAVCS", ++ required=False, ++ default=None, ++ ) ++ parser.add_argument( ++ "-e", ++ "--container-engine", ++ type=str, ++ help="Specify which container engine is used for the inspected container (supports: {})".format( ++ ", ".join(ENGINE_ALL) ++ ), ++ dest="ContainerEngine", ++ required=False, ++ default="-", ++ ) ++ + args = parser.parse_args() + return vars(args) + +@@ -142,6 +241,13 @@ def get_args(): + def main(): + opts = get_args() + ++ # generate confined user policy ++ if "confined_user" in opts.keys(): ++ from udica.confined_user import create_confined_user_policy ++ ++ create_confined_user_policy(opts) ++ return ++ + if opts["ContainerID"]: + container_inspect_raw = None + for backend in [ENGINE_PODMAN, ENGINE_DOCKER]: +@@ -167,8 +273,6 @@ def main(): + + if opts["JsonFile"]: + if opts["JsonFile"] == "-": +- import sys +- + container_inspect_raw = sys.stdin.read() + else: + import os.path +@@ -182,8 +286,6 @@ def main(): + + if (not opts["JsonFile"]) and (not opts["ContainerID"]): + try: +- import sys +- + container_inspect_raw = sys.stdin.read() + except Exception as e: + print("Couldn't parse inspect data from stdin:", e) +diff --git a/udica/confined_user.py b/udica/confined_user.py +new file mode 100644 +index 0000000..796f543 +--- /dev/null ++++ b/udica/confined_user.py +@@ -0,0 +1,134 @@ ++# Copyright (C) 2023 Vit Mojzis, ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation; either version 2 of ++# the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++MACRO_CALLS = { ++ "admin_commands": ( ++ "(call confinedom_admin_commands_macro ({}))", ++ ("_t", "_r", "_sudo_t"), ++ ), ++ "graphical_login": ( ++ "(call confinedom_graphical_login_macro ({}))", ++ ("_t", "_r", "_dbus_t"), ++ ), ++ "mozilla_usage": ("(call confinedom_mozilla_usage_macro ({}))", ("_t", "_r")), ++ "networking": ("(call confinedom_networking_macro ({}))", ("_t", "_r")), ++ "security_advanced": ( ++ "(call confinedom_security_advanced_macro ({}))", ++ ("_t", "_r", "_sudo_t", "_userhelper_t"), ++ ), ++ "security_basic": ("(call confinedom_security_basic_macro ({}))", ("_t", "_r")), ++ "sudo": ( ++ "(call confinedom_sudo_macro ({}))", ++ ("_t", "_r", "_sudo_t", "_sudo_tmp_t"), ++ ), ++ "user_login": ( ++ "(call confinedom_user_login_macro ({}))", ++ ("_t", "_r", "_gkeyringd_t", "_dbus_t", "_exec_content"), ++ ), ++ "ssh_connect": ( ++ "(call confined_ssh_connect_macro ({}))", ++ ("_t", "_r", "_ssh_agent_t"), ++ ), ++ "basic_commands": ("(call confined_use_basic_commands_macro ({}))", ("_t", "_r")), ++} ++ ++TYPE_DEFS = { ++ "_t": "(type {}_t)", ++ "_r": "(role {}_r)", ++ "_dbus_t": "(type {}_dbus_t)", ++ "_gkeyringd_t": "(type {}_gkeyringd_t)", ++ "_ssh_agent_t": "(type {}_ssh_agent_t)", ++ "_sudo_t": "(type {}_sudo_t)", ++ "_sudo_tmp_t": "(type {}_sudo_tmp_t)", ++ "_userhelper_t": "(type {}_userhelper_t)", ++ "_exec_content": "(boolean {}_exec_content true)", ++} ++ ++ ++def create_confined_user_policy(opts): ++ # MCS/MLS range handling - needs to be separated into up-to 4 parts ++ # s0-s15:c0.c1023 -> (userrange {uname}_u ((s0 ) (s15 (range c0 c1023)))) ++ # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0)))) ++ mls_range = opts["range"] ++ mcs_range = "" ++ # separate MCS portion ++ if ":" in opts["range"]: ++ # s0:c0.c1023 ++ (mls_range, mcs_range) = opts["range"].split(":") ++ if "-" in mls_range: ++ # s0-s15 ++ (range_l, range_h) = mls_range.split("-") ++ else: ++ # s0 ++ range_l = mls_range ++ range_h = range_l ++ if mcs_range != "": ++ if "." in mcs_range: ++ # s0:c0.c1023 -> (userrange {uname}_u ((s0 ) (s0 (range c0 c1023)))) ++ (mcs_range_l, mcs_range_h) = mcs_range.split(".") ++ mcs_range = "(range {} {})".format(mcs_range_l, mcs_range_h) ++ else: ++ # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0)))) ++ mcs_range = "({})".format(mcs_range) ++ ++ range = "({} ) ({} {})".format(range_l, range_h, mcs_range) ++ ++ defs = set() ++ ++ policy = """ ++(user {uname}_u) ++(userrole {uname}_u {uname}_r) ++(userlevel {uname}_u ({level})) ++(userrange {uname}_u ({range})) ++""".format( ++ uname=opts["uname"], level=opts["level"], range=range ++ ) ++ ++ # process arguments determining which macros are to be used ++ for arg, value in opts.items(): ++ if not value or arg not in MACRO_CALLS.keys(): ++ continue ++ for param in MACRO_CALLS[arg][1]: ++ defs.add(TYPE_DEFS[param].format(opts["uname"])) ++ policy += "\n" + ( ++ MACRO_CALLS[arg][0].format( ++ " ".join([opts["uname"] + s for s in MACRO_CALLS[arg][1]]) ++ ) ++ ) ++ # print("{}: {}".format(arg, value)) ++ ++ policy = "\n".join(sorted(defs)) + policy ++ ++ with open("{}.cil".format(opts["uname"]), "w") as f: ++ f.write(policy) ++ ++ print("Created {}.cil".format(opts["uname"])) ++ print("Run the following commands to apply the new policy:") ++ print("Install the new policy module") ++ print( ++ "# semodule -i {}.cil /usr/share/udica/macros/confined_user_macros.cil".format( ++ opts["uname"] ++ ) ++ ) ++ print("Create a default context file for the new user") ++ print( ++ "# sed -e ’s|user|{}|g’ /etc/selinux/targeted/contexts/users/user_u > /etc/selinux/targeted/contexts/users/{}_u".format( ++ opts["uname"], opts["uname"] ++ ) ++ ) ++ print("Map the new selinux user to an existing user account") ++ print("# semanage login -a -s {}_u {}".format(opts["uname"], opts["uname"])) ++ print("Fix labels in the user's home direcotry") ++ print("# restorecon -RvF /home/{}".format(opts["uname"])) +diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil +new file mode 100644 +index 0000000..ddb5689 +--- /dev/null ++++ b/udica/macros/confined_user_macros.cil +@@ -0,0 +1,4367 @@ ++(typeattribute login_confinedom) ++ ++(optional confined_transition_userdomain_optional ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require xdm_t) ++ (typeattributeset cil_gen_require login_confinedom) ++ (typeattributeset cil_gen_require xsession_exec_t) ++ (allow xdm_t xsession_exec_t (file (ioctl read getattr map execute open))) ++ (allow xdm_t login_confinedom (process (transition))) ++ (allow login_confinedom xdm_t (fd (use))) ++ (allow login_confinedom xdm_t (fifo_file (ioctl read write getattr lock append open))) ++ (allow login_confinedom xdm_t (process (sigchld))) ++) ++ ++(optional confined_xsession_spec_domtrans_conf_users_optional ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require xdm_t) ++ (typeattributeset cil_gen_require login_confinedom) ++ (allow init_t login_confinedom (process (transition))) ++) ++ ++(macro confinedom_admin_commands_macro ((type utype) (role urole) (type sudo_type)) ++ (optional confinedom_admin_commands_optional_2 ++ (roleattributeset cil_gen_require urole) ++ (roleattributeset cil_gen_require iptables_roles) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require sudo_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require usbmon_device_t) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require policy_config_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require modules_object_t) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require files_unconfined_type) ++ (typeattributeset cil_gen_require init_var_run_t) ++ (typeattributeset cil_gen_require init_var_lib_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require iptables_t) ++ (typeattributeset cil_gen_require iptables_exec_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require proc_t) ++ (typeattributeset cil_gen_require proc_net_t) ++ (typeattributeset cil_gen_require auditd_t) ++ (typeattributeset cil_gen_require auditd_etc_t) ++ (typeattributeset cil_gen_require auditd_log_t) ++ (typeattributeset cil_gen_require auditd_var_run_t) ++ (typeattributeset cil_gen_require auditd_initrc_exec_t) ++ (typeattributeset cil_gen_require auditd_unit_file_t) ++ (typeattributeset cil_gen_require auditctl_t) ++ (typeattributeset cil_gen_require auditctl_exec_t) ++ (typeattributeset cil_gen_require initrc_t) ++ (typeattributeset cil_gen_require initrc_transition_domain) ++ (typeattributeset cil_gen_require filesystem_type) ++ (typeattributeset cil_gen_require can_system_change) ++ (typeattributeset cil_gen_require systemd_systemctl_exec_t) ++ (typeattributeset cil_gen_require cgroup_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require efivarfs_t) ++ (typeattributeset cil_gen_require systemd_unit_file_type) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require systemd_logind_var_run_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) ++ (typeattributeset cil_gen_require systemd_passwd_var_run_t) ++ (typeattributeset cil_gen_require syslogd_t) ++ (typeattributeset cil_gen_require klogd_t) ++ (typeattributeset cil_gen_require syslog_conf_t) ++ (typeattributeset cil_gen_require syslogd_tmp_t) ++ (typeattributeset cil_gen_require syslogd_var_lib_t) ++ (typeattributeset cil_gen_require syslogd_var_run_t) ++ (typeattributeset cil_gen_require klogd_var_run_t) ++ (typeattributeset cil_gen_require klogd_tmp_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (typeattributeset cil_gen_require syslogd_initrc_exec_t) ++ (typeattributeset cil_gen_require logfile) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require user_home_t) ++ (typeattributeset cil_gen_require user_home_type) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require passwd_t) ++ (typeattributeset cil_gen_require passwd_exec_t) ++ (roleattributeset cil_gen_require iptables_roles) ++ (roleattributeset iptables_roles (urole )) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole auditctl_t) ++ (typeattributeset cil_gen_require initrc_transition_domain) ++ (typeattributeset initrc_transition_domain (utype )) ++ (typeattributeset cil_gen_require files_unconfined_type) ++ (typeattributeset files_unconfined_type (utype )) ++ (typeattributeset cil_gen_require can_system_change) ++ (typeattributeset can_system_change (utype )) ++ (allow utype self (capability (net_raw))) ++ (allow utype self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow utype self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow utype self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow utype self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow utype self (packet_socket (map))) ++ (allow sudo_type utype (unix_stream_socket (connectto))) ++ (allow sudo_type self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow sudo_type self (capability (net_raw))) ++ (allow sudo_type self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow sudo_type self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow sudo_type self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow sudo_type self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow sudo_type self (packet_socket (map))) ++ (allow utype domain (process (getattr))) ++ (allow utype usbmon_device_t (chr_file (map))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype usbmon_device_t (chr_file (ioctl read getattr lock open))) ++ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type non_auth_file_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type non_auth_file_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type non_auth_file_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type non_auth_file_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type non_auth_file_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow sudo_type etc_t (dir (getattr open search))) ++ (allow sudo_type selinux_config_t (dir (getattr open search))) ++ (allow sudo_type policy_config_t (dir (ioctl write getattr lock open add_name search))) ++ (allow sudo_type policy_config_t (file (create getattr open))) ++ (allow sudo_type policy_config_t (dir (getattr open search))) ++ (allow sudo_type policy_config_t (file (ioctl write getattr lock append open))) ++ (allow sudo_type modules_object_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type modules_object_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow sudo_type file_type (dir (ioctl read getattr lock open search))) ++ (allow sudo_type file_type (dir (getattr open search))) ++ (allow sudo_type file_type (lnk_file (read getattr))) ++ (allow sudo_type init_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type init_var_run_t (dir (ioctl write getattr lock open add_name search))) ++ (allow sudo_type init_var_run_t (dir (create getattr))) ++ (allow sudo_type var_t (dir (getattr open search))) ++ (allow sudo_type var_lib_t (dir (getattr open search))) ++ (allow sudo_type init_var_lib_t (dir (getattr open search))) ++ (allow sudo_type init_var_lib_t (file (ioctl read getattr map open))) ++ (allow sudo_type init_t (dir (getattr open search))) ++ (allow sudo_type init_t (file (ioctl read getattr lock open))) ++ (allow sudo_type init_t (lnk_file (read getattr))) ++ (allow sudo_type init_var_run_t (sock_file (write))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype iptables_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype iptables_t (process (transition))) ++ (typetransition utype iptables_exec_t process iptables_t) ++ (allow iptables_t utype (fd (use))) ++ (allow iptables_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow iptables_t utype (process (sigchld))) ++ (allow utype iptables_exec_t (file (map))) ++ (allow sudo_type proc_t (dir (getattr open search))) ++ (allow sudo_type proc_net_t (dir (getattr open search))) ++ (allow sudo_type proc_net_t (file (ioctl read getattr lock open))) ++ (allow sudo_type proc_t (dir (getattr open search))) ++ (allow sudo_type proc_net_t (dir (getattr open search))) ++ (allow sudo_type proc_net_t (lnk_file (read getattr))) ++ (allow sudo_type proc_t (dir (getattr open search))) ++ (allow sudo_type proc_net_t (dir (ioctl read getattr lock open search))) ++ (allow utype auditd_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype auditd_t (dir (ioctl read getattr lock open search))) ++ (allow utype auditd_t (file (ioctl read getattr lock open))) ++ (allow utype auditd_t (lnk_file (read getattr))) ++ (allow utype auditd_t (process (getattr))) ++ (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_etc_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_etc_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_log_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype auditctl_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype auditctl_t (process (transition))) ++ (typetransition utype auditctl_exec_t process auditctl_t) ++ (allow auditctl_t utype (fd (use))) ++ (allow auditctl_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow auditctl_t utype (process (sigchld))) ++ (allow utype filesystem_type (dir (getattr open search))) ++ (allow utype auditd_initrc_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype initrc_t (process (transition))) ++ (typetransition utype auditd_initrc_exec_t process initrc_t) ++ (allow initrc_t utype (fd (use))) ++ (allow initrc_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow initrc_t utype (process (sigchld))) ++ (allow utype auditd_initrc_exec_t (file (ioctl))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (ioctl read getattr lock open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (file (ioctl read getattr lock open))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (lnk_file (read getattr))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (file (ioctl read getattr lock open))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) ++ (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype init_t (dir (getattr open search))) ++ (allow utype init_t (file (ioctl read getattr lock open))) ++ (allow utype init_t (lnk_file (read getattr))) ++ (allow utype init_t (unix_stream_socket (sendto))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (sock_file (write getattr append open))) ++ (allow utype init_t (unix_stream_socket (connectto))) ++ (allow utype init_t (unix_stream_socket (getattr))) ++ (dontaudit utype self (process (setrlimit))) ++ (dontaudit utype self (capability (sys_resource))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow systemd_passwd_agent_t utype (process (signull))) ++ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) ++ (dontaudit utype self (capability (net_admin sys_ptrace))) ++ (allow utype auditd_unit_file_t (file (ioctl read getattr lock open))) ++ (allow utype auditd_unit_file_t (service (start stop status reload enable disable))) ++ (allow utype auditd_t (dir (ioctl read getattr lock open search))) ++ (allow utype auditd_t (file (ioctl read getattr lock open))) ++ (allow utype auditd_t (lnk_file (read getattr))) ++ (allow utype auditd_t (process (getattr))) ++ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_unit_file_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_unit_file_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_unit_file_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_unit_file_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype auditd_unit_file_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype auditd_unit_file_t (dir (getattr open search))) ++ (allow utype auditd_unit_file_t (dir (getattr relabelfrom relabelto))) ++ (allow utype auditd_unit_file_t (dir (getattr open search))) ++ (allow utype auditd_unit_file_t (file (getattr relabelfrom relabelto))) ++ (allow utype auditd_unit_file_t (dir (getattr open search))) ++ (allow utype auditd_unit_file_t (lnk_file (getattr relabelfrom relabelto))) ++ (allow utype auditd_unit_file_t (dir (getattr open search))) ++ (allow utype auditd_unit_file_t (fifo_file (getattr relabelfrom relabelto))) ++ (allow utype auditd_unit_file_t (dir (getattr open search))) ++ (allow utype auditd_unit_file_t (sock_file (getattr relabelfrom relabelto))) ++ (allow utype auditd_unit_file_t (service (start stop status reload enable disable))) ++ (allow utype self (capability2 (syslog))) ++ (allow utype syslogd_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype klogd_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype syslogd_t (dir (ioctl read getattr lock open search))) ++ (allow utype syslogd_t (file (ioctl read getattr lock open))) ++ (allow utype syslogd_t (lnk_file (read getattr))) ++ (allow utype syslogd_t (process (getattr))) ++ (allow utype klogd_t (dir (ioctl read getattr lock open search))) ++ (allow utype klogd_t (file (ioctl read getattr lock open))) ++ (allow utype klogd_t (lnk_file (read getattr))) ++ (allow utype klogd_t (process (getattr))) ++ (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype klogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype klogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype klogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype klogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslog_conf_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslog_conf_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition utype etc_t file syslog_conf_t) ++ (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslogd_var_lib_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslogd_var_lib_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype syslogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype logfile (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype logfile (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype logfile (file (map))) ++ (allow utype logfile (dir (getattr relabelfrom relabelto))) ++ (allow utype logfile (file (getattr relabelfrom relabelto))) ++ (allow utype filesystem_type (dir (getattr open search))) ++ (allow utype syslogd_initrc_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype initrc_t (process (transition))) ++ (typetransition utype syslogd_initrc_exec_t process initrc_t) ++ (allow initrc_t utype (fd (use))) ++ (allow initrc_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow initrc_t utype (process (sigchld))) ++ (allow utype syslogd_initrc_exec_t (file (ioctl))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow sudo_type home_root_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type home_root_t (lnk_file (read getattr))) ++ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition sudo_type user_home_dir_t fifo_file user_home_t) ++ (typetransition sudo_type user_home_dir_t sock_file user_home_t) ++ (typetransition sudo_type user_home_dir_t lnk_file user_home_t) ++ (typetransition sudo_type user_home_dir_t dir user_home_t) ++ (typetransition sudo_type user_home_dir_t file user_home_t) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type passwd_t (process (transition))) ++ (typetransition sudo_type passwd_exec_t process passwd_t) ++ (allow passwd_t sudo_type (fd (use))) ++ (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow passwd_t sudo_type (process (sigchld))) ++ (roletransition urole syslogd_initrc_exec_t process system_r) ++ (roletransition urole auditd_initrc_exec_t process system_r) ++ (roleallow urole system_r) ++ (roleallow urole system_r) ++ (booleanif (deny_ptrace) ++ (false ++ (allow utype auditd_t (process (ptrace))) ++ (allow utype klogd_t (process (ptrace))) ++ (allow utype syslogd_t (process (ptrace))) ++ ) ++ ) ++ (optional confinedom_admin_commands_optional_3 ++ (typeattributeset cil_gen_require tuned_t) ++ (allow utype tuned_t (dbus (send_msg))) ++ (allow tuned_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_admin_commands_optional_4 ++ (roleattributeset cil_gen_require wireshark_roles) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require wireshark_t) ++ (typeattributeset cil_gen_require wireshark_exec_t) ++ (typeattributeset cil_gen_require wireshark_home_t) ++ (typeattributeset cil_gen_require wireshark_tmp_t) ++ (typeattributeset cil_gen_require wireshark_tmpfs_t) ++ (roleattributeset cil_gen_require wireshark_roles) ++ (roleattributeset wireshark_roles (urole )) ++ (allow utype wireshark_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype wireshark_t (process (transition))) ++ (typetransition utype wireshark_exec_t process wireshark_t) ++ (allow wireshark_t utype (fd (use))) ++ (allow wireshark_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow wireshark_t utype (process (sigchld))) ++ (allow utype wireshark_t (process (sigchld sigkill sigstop signull signal ptrace))) ++ (allow utype wireshark_t (dir (ioctl read getattr lock open search))) ++ (allow utype wireshark_t (file (ioctl read getattr lock open))) ++ (allow utype wireshark_t (lnk_file (read getattr))) ++ (allow utype wireshark_t (process (getattr))) ++ (allow utype wireshark_home_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype wireshark_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype wireshark_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype wireshark_home_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype wireshark_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype wireshark_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype wireshark_home_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads))) ++ (allow utype wireshark_tmpfs_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads))) ++ (allow utype wireshark_tmpfs_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) ++ (allow utype wireshark_tmpfs_t (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype wireshark_t (shm (getattr read write associate unix_read unix_write lock))) ++ (typetransition utype user_home_dir_t dir ".wireshark" wireshark_home_t) ++ ) ++ ) ++) ++ ++(macro confinedom_graphical_login_macro ((type utype) (role urole) (type dbusd_type)) ++ ++ (optional confinedom_graphical_login_optional_2 ++ (roleattributeset cil_gen_require urole) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require user_tmpfs_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require port_type) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require sound_device_t) ++ (typeattributeset cil_gen_require event_device_t) ++ (typeattributeset cil_gen_require v4l_device_t) ++ (typeattributeset cil_gen_require wireless_device_t) ++ (typeattributeset cil_gen_require configfile) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require lib_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require usbfs_t) ++ (typeattributeset cil_gen_require usb_device_t) ++ (typeattributeset cil_gen_require noxattrfs) ++ (typeattributeset cil_gen_require dosfs_t) ++ (typeattributeset cil_gen_require removable_device_t) ++ (typeattributeset cil_gen_require proc_t) ++ (typeattributeset cil_gen_require sysctl_t) ++ (typeattributeset cil_gen_require sysctl_dev_t) ++ (typeattributeset cil_gen_require fonts_t) ++ (typeattributeset cil_gen_require locale_t) ++ (typeattributeset cil_gen_require mount_t) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require default_context_t) ++ (typeattributeset cil_gen_require fuse_device_t) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require user_home_t) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require user_home_type) ++ (typeattributeset cil_gen_require userdom_filetrans_type) ++ (typeattributeset cil_gen_require nfs_t) ++ (typeattributeset cil_gen_require autofs_t) ++ (typeattributeset cil_gen_require cifs_t) ++ (typeattributeset cil_gen_require xauth_t) ++ (typeattributeset cil_gen_require iceauth_t) ++ (typeattributeset cil_gen_require dridomain) ++ (typeattributeset cil_gen_require x_userdomain) ++ (typeattributeset cil_gen_require root_xdrawable_t) ++ (typeattributeset cil_gen_require xdm_t) ++ (typeattributeset cil_gen_require xserver_t) ++ (typeattributeset cil_gen_require xproperty_t) ++ (typeattributeset cil_gen_require user_xproperty_t) ++ (typeattributeset cil_gen_require xevent_t) ++ (typeattributeset cil_gen_require client_xevent_t) ++ (typeattributeset cil_gen_require input_xevent_t) ++ (typeattributeset cil_gen_require user_input_xevent_t) ++ (typeattributeset cil_gen_require x_domain) ++ (typeattributeset cil_gen_require input_xevent_type) ++ (typeattributeset cil_gen_require xdrawable_type) ++ (typeattributeset cil_gen_require xcolormap_type) ++ (typeattributeset cil_gen_require xdm_var_run_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require userdomain) ++ (typeattributeset cil_gen_require xdm_log_t) ++ (typeattributeset cil_gen_require xdmhomewriter) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole user_home_dir_t) ++ (roletype urole user_home_type) ++ (roletype urole xauth_t) ++ (roletype urole iceauth_t) ++ (typeattributeset cil_gen_require xcolormap_type) ++ (typeattributeset xcolormap_type (utype )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (bin_t usr_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (bin_t usr_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (bin_t usr_t )) ++ (typeattributeset cil_gen_require xdmhomewriter) ++ (typeattributeset xdmhomewriter (utype )) ++ (typeattributeset cil_gen_require xdrawable_type) ++ (typeattributeset xdrawable_type (utype )) ++ (typeattributeset cil_gen_require userdom_filetrans_type) ++ (typeattributeset userdom_filetrans_type (utype )) ++ (typeattributeset cil_gen_require x_domain) ++ (typeattributeset x_domain (utype )) ++ (typeattributeset cil_gen_require x_userdomain) ++ (typeattributeset x_userdomain (utype )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (bin_t usr_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (bin_t usr_t )) ++ (typeattributeset cil_gen_require dridomain) ++ (typeattributeset dridomain (utype )) ++ (allow utype bin_t (file (entrypoint))) ++ (allow utype bin_t (file (ioctl read getattr lock map execute open))) ++ (allow utype usr_t (file (entrypoint))) ++ (allow utype usr_t (file (ioctl read getattr lock map execute open))) ++ (allow utype port_type (tcp_socket (name_connect))) ++ (allow utype utype (process (getattr setrlimit execmem))) ++ (allow utype utype (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload undefined))) ++ (allow utype utype (netlink_kobject_uevent_socket (read))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype sound_device_t (chr_file (ioctl write getattr lock append open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype sound_device_t (chr_file (ioctl read getattr lock open))) ++ (allow utype sound_device_t (chr_file (map))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype event_device_t (chr_file (ioctl read write getattr lock append))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype v4l_device_t (chr_file (ioctl read getattr lock open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype v4l_device_t (chr_file (ioctl write getattr lock append open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype wireless_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (getattr watch))) ++ (allow utype configfile (dir (ioctl read getattr lock open search))) ++ (allow utype configfile (dir (getattr open search))) ++ (allow utype configfile (file (ioctl read getattr lock open))) ++ (allow utype configfile (dir (getattr open search))) ++ (allow utype configfile (lnk_file (read getattr))) ++ (allow utype etc_t (dir (getattr watch))) ++ (allow utype home_root_t (dir (getattr watch))) ++ (allow utype lib_t (dir (getattr watch))) ++ (allow utype usr_t (dir (getattr watch))) ++ (allow utype usr_t (file (getattr watch))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr watch))) ++ (allow utype var_run_t (dir (getattr watch))) ++ (allow utype tmp_t (dir (getattr watch))) ++ (allow utype init_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype sysctl_t (dir (getattr open search))) ++ (allow utype sysctl_dev_t (dir (getattr open search))) ++ (allow utype sysctl_dev_t (file (ioctl read getattr lock open))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype sysctl_t (dir (getattr open search))) ++ (allow utype sysctl_dev_t (dir (ioctl read getattr lock open search))) ++ (allow utype fonts_t (dir (getattr watch))) ++ (allow utype locale_t (dir (getattr open search))) ++ (allow utype locale_t (lnk_file (getattr watch))) ++ (allow utype mount_t (process (signal))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype selinux_config_t (dir (getattr open search))) ++ (allow utype default_context_t (dir (ioctl read getattr lock open search))) ++ (allow utype default_context_t (dir (getattr open search))) ++ (allow utype default_context_t (file (ioctl read getattr lock open))) ++ (allow utype fuse_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype user_tmp_t (file (execute))) ++ (typemember utype user_home_dir_t dir user_home_dir_t) ++ (allow utype user_home_t (dir (mounton))) ++ (allow utype user_home_t (file (entrypoint))) ++ (allow utype user_home_type (file (relabelfrom relabelto))) ++ (allow utype user_home_type (dir (relabelfrom relabelto))) ++ (allow utype user_home_type (lnk_file (relabelfrom relabelto))) ++ (allow utype user_home_type (chr_file (relabelfrom relabelto))) ++ (allow utype user_home_type (blk_file (relabelfrom relabelto))) ++ (allow utype user_home_type (sock_file (relabelfrom relabelto))) ++ (allow utype user_home_type (fifo_file (relabelfrom relabelto))) ++ (allow utype user_home_dir_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr relabelfrom relabelto))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr open search))) ++ (allow utype user_home_type (file (getattr relabelfrom relabelto))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr open search))) ++ (allow utype user_home_type (lnk_file (getattr relabelfrom relabelto))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr open search))) ++ (allow utype user_home_type (sock_file (getattr relabelfrom relabelto))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr open search))) ++ (allow utype user_home_type (fifo_file (getattr relabelfrom relabelto))) ++ (allow utype home_root_t (dir (ioctl read getattr lock open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (typetransition utype root_xdrawable_t x_drawable utype) ++ (typetransition utype input_xevent_t x_event user_input_xevent_t) ++ (allow utype user_input_xevent_t (x_event (send))) ++ (allow utype user_input_xevent_t (x_synthetic_event (send))) ++ (allow utype user_input_xevent_t (x_event (receive))) ++ (allow utype user_input_xevent_t (x_synthetic_event (receive))) ++ (allow utype client_xevent_t (x_event (receive))) ++ (allow utype client_xevent_t (x_synthetic_event (receive))) ++ (allow utype xevent_t (x_event (send receive))) ++ (allow utype xevent_t (x_synthetic_event (send receive))) ++ (dontaudit utype input_xevent_type (x_event (send))) ++ (allow utype xdm_t (x_drawable (read add_child manage hide))) ++ (allow utype xdm_t (x_client (destroy))) ++ (allow utype root_xdrawable_t (x_drawable (write))) ++ (allow utype xserver_t (x_server (manage))) ++ (allow utype xserver_t (x_screen (saver_setattr saver_hide saver_show show_cursor hide_cursor))) ++ (allow utype xserver_t (x_pointer (get_property set_property manage))) ++ (allow utype xserver_t (x_keyboard (read manage freeze))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype tmp_t (lnk_file (read getattr))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype xdm_var_run_t (dir (getattr open search))) ++ (allow utype xdm_var_run_t (sock_file (write getattr append open))) ++ (allow utype xdm_t (unix_stream_socket (connectto))) ++ (allow utype user_tmp_t (dir (getattr open search))) ++ (allow utype user_tmp_t (sock_file (write getattr append open))) ++ (allow utype userdomain (unix_stream_socket (connectto))) ++ (allow utype xdm_log_t (file (getattr append))) ++ (booleanif (use_samba_home_dirs) ++ (true ++ (allow utype cifs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cifs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cifs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cifs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cifs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype cifs_t (dir (mounton))) ++ (allow utype cifs_t (filesystem (mount))) ++ ) ++ ) ++ (booleanif (use_nfs_home_dirs) ++ (true ++ (allow utype nfs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype nfs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype nfs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype autofs_t (dir (getattr open search))) ++ (allow utype nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype autofs_t (dir (getattr open search))) ++ (allow utype nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype autofs_t (dir (getattr open search))) ++ (allow utype nfs_t (dir (mounton))) ++ (allow utype nfs_t (filesystem (mount))) ++ ) ++ ) ++ (booleanif (selinuxuser_rw_noexattrfile) ++ (true ++ (allow utype removable_device_t (blk_file (ioctl write getattr lock append open))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype removable_device_t (blk_file (ioctl read getattr lock open))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype dosfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype dosfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype noxattrfs (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype noxattrfs (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype noxattrfs (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype usb_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype usbfs_t (lnk_file (read getattr))) ++ (allow utype usbfs_t (dir (getattr open search))) ++ (allow utype usbfs_t (file (ioctl read write getattr lock append open))) ++ (allow utype usbfs_t (dir (getattr open search))) ++ (allow utype usbfs_t (dir (ioctl read getattr lock open search))) ++ (allow utype usbfs_t (dir (getattr open search))) ++ ) ++ ) ++ (optional confinedom_graphical_login_optional_3 ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require alsa_var_lib_t) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype alsa_var_lib_t (dir (getattr open search))) ++ (allow utype alsa_var_lib_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_graphical_login_optional_4 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require fwupd_cache_t) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype fwupd_cache_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype fwupd_cache_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ ) ++ (optional confinedom_graphical_login_optional_5 ++ ;(type dbusd_type) ++ (roletype object_r dbusd_type) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require system_dbusd_t) ++ (typeattributeset cil_gen_require session_dbusd_tmp_t) ++ (typeattributeset cil_gen_require dbusd_unconfined) ++ (typeattributeset cil_gen_require session_bus_type) ++ (typeattributeset cil_gen_require dbusd_exec_t) ++ (typeattributeset cil_gen_require dbusd_etc_t) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require system_dbusd_var_run_t) ++ (typeattributeset cil_gen_require system_dbusd_var_lib_t) ++ (typeattributeset cil_gen_require urandom_device_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole dbusd_type) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (dbusd_type )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (dbusd_type )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (dbusd_type )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (dbusd_type )) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset userdom_home_manager_type (dbusd_type )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (dbusd_type )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (dbusd_type )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (dbusd_type )) ++ (typeattributeset cil_gen_require session_bus_type) ++ (typeattributeset session_bus_type (dbusd_type )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (dbusd_type )) ++ (allow utype system_dbusd_t (dbus (acquire_svc))) ++ (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search))) ++ (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open))) ++ (allow dbusd_type dbusd_exec_t (file (entrypoint))) ++ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow dbusd_type security_t (lnk_file (read getattr))) ++ (allow dbusd_type sysfs_t (filesystem (getattr))) ++ (allow dbusd_type sysfs_t (dir (getattr open search))) ++ (allow dbusd_type sysfs_t (dir (getattr open search))) ++ (allow dbusd_type security_t (filesystem (getattr))) ++ (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) ++ (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt))) ++ (allow dbusd_type utype (unix_dgram_socket (sendto))) ++ (allow utype dbusd_type (dbus (acquire_svc send_msg))) ++ (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg))) ++ (allow utype system_dbusd_t (dbus (acquire_svc send_msg))) ++ (allow utype dbusd_type (process (noatsecure siginh rlimitinh))) ++ (allow dbusd_type utype (dbus (send_msg))) ++ (allow utype dbusd_type (dbus (send_msg))) ++ (allow dbusd_type utype (system (start reload))) ++ (allow dbusd_type session_dbusd_tmp_t (service (start stop))) ++ (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype dbusd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype dbusd_type (process (transition))) ++ ;(typetransition utype dbusd_exec_t process dbusd_type) ++ (allow dbusd_type utype (fd (use))) ++ (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append))) ++ (allow dbusd_type utype (process (sigchld))) ++ (allow utype dbusd_type (dir (ioctl read getattr lock open search))) ++ (allow utype dbusd_type (file (ioctl read getattr lock open))) ++ (allow utype dbusd_type (lnk_file (read getattr))) ++ (allow utype dbusd_type (process (getattr))) ++ (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal))) ++ (allow dbusd_type bin_t (dir (getattr open search))) ++ (allow dbusd_type bin_t (lnk_file (read getattr))) ++ (allow dbusd_type bin_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (allow dbusd_type usr_t (dir (getattr open search))) ++ (allow dbusd_type usr_t (lnk_file (read getattr))) ++ (allow dbusd_type usr_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (typetransition dbusd_type bin_t process utype) ++ (typetransition dbusd_type usr_t process utype) ++ (allow dbusd_type bin_t (dir (getattr open search))) ++ (allow dbusd_type bin_t (dir (ioctl read getattr lock open search))) ++ (allow dbusd_type bin_t (dir (getattr open search))) ++ (allow dbusd_type bin_t (lnk_file (read getattr))) ++ (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (typetransition dbusd_type shell_exec_t process utype) ++ (allow dbusd_type utype (process (sigkill))) ++ (allow utype dbusd_type (fd (use))) ++ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow dbusd_type file_type (service (start stop status reload enable disable))) ++ (dontaudit dbusd_type self (capability (net_admin))) ++ (allow utype system_dbusd_t (dbus (send_msg))) ++ (allow utype self (dbus (send_msg))) ++ (allow system_dbusd_t utype (dbus (send_msg))) ++ (allow dbusd_unconfined utype (dbus (send_msg))) ++ (allow utype system_dbusd_var_lib_t (dir (getattr open search))) ++ (allow utype system_dbusd_var_lib_t (file (ioctl read getattr lock open))) ++ (allow utype system_dbusd_var_lib_t (dir (getattr open search))) ++ (allow utype system_dbusd_var_lib_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype urandom_device_t (chr_file (ioctl read getattr lock open))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype system_dbusd_var_run_t (dir (getattr open search))) ++ (allow utype system_dbusd_var_run_t (sock_file (write getattr append open))) ++ (allow utype system_dbusd_t (unix_stream_socket (connectto))) ++ (allow utype dbusd_etc_t (dir (ioctl read getattr lock open search))) ++ (allow utype dbusd_etc_t (file (ioctl read getattr lock open))) ++ (allow utype session_dbusd_tmp_t (dir (getattr open search))) ++ (allow utype session_dbusd_tmp_t (sock_file (write getattr append open))) ++ (allow utype utype (dbus (send_msg))) ++ (booleanif (deny_ptrace) ++ (false ++ (allow utype dbusd_type (process (ptrace))) ++ ) ++ ) ++ (optional confinedom_graphical_login_optional_6 ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require mozilla_exec_t) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (mozilla_exec_t )) ++ (allow utype mozilla_exec_t (file (entrypoint))) ++ (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (typetransition dbusd_type mozilla_exec_t process utype) ++ (allow utype dbusd_type (fd (use))) ++ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append))) ++ (allow utype dbusd_type (process (sigchld))) ++ ) ++ (optional confinedom_graphical_login_optional_7 ++ (typeattributeset cil_gen_require systemd_unit_file_t) ++ (allow dbusd_type systemd_unit_file_t (service (start))) ++ ) ++ (optional confinedom_graphical_login_optional_8 ++ (typeattributeset cil_gen_require unconfined_service_t) ++ (allow utype unconfined_service_t (dbus (send_msg))) ++ (allow unconfined_service_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_9 ++ (typeattributeset cil_gen_require accountsd_t) ++ (allow utype accountsd_t (dbus (send_msg))) ++ (allow accountsd_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_10 ++ (typeattributeset cil_gen_require avahi_t) ++ (allow utype avahi_t (dbus (send_msg))) ++ (allow avahi_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_11 ++ (typeattributeset cil_gen_require bluetooth_t) ++ (allow utype bluetooth_t (dbus (send_msg))) ++ (allow bluetooth_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_12 ++ (typeattributeset cil_gen_require colord_t) ++ (allow utype colord_t (dbus (send_msg))) ++ (allow colord_t utype (dbus (send_msg))) ++ (allow colord_t utype (dir (ioctl read getattr lock open search))) ++ (allow colord_t utype (file (ioctl read getattr lock open))) ++ (allow colord_t utype (lnk_file (read getattr))) ++ (allow colord_t utype (process (getattr))) ++ ) ++ (optional confinedom_graphical_login_optional_13 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require consolekit_t) ++ (typeattributeset cil_gen_require consolekit_log_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (allow utype consolekit_t (dbus (send_msg))) ++ (allow consolekit_t utype (dbus (send_msg))) ++ (allow utype consolekit_log_t (dir (getattr open search))) ++ (allow utype consolekit_log_t (file (ioctl read getattr lock open))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_log_t (dir (getattr open search))) ++ ) ++ (optional confinedom_graphical_login_optional_14 ++ (typeattributeset cil_gen_require devicekit_t) ++ (typeattributeset cil_gen_require devicekit_power_t) ++ (typeattributeset cil_gen_require devicekit_disk_t) ++ (allow utype devicekit_t (dbus (send_msg))) ++ (allow devicekit_t utype (dbus (send_msg))) ++ (allow utype devicekit_power_t (dbus (send_msg))) ++ (allow devicekit_power_t utype (dbus (send_msg))) ++ (allow utype devicekit_disk_t (dbus (send_msg))) ++ (allow devicekit_disk_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_15 ++ (typeattributeset cil_gen_require evolution_t) ++ (typeattributeset cil_gen_require evolution_alarm_t) ++ (allow utype evolution_t (dbus (send_msg))) ++ (allow evolution_t utype (dbus (send_msg))) ++ (allow utype evolution_alarm_t (dbus (send_msg))) ++ (allow evolution_alarm_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_16 ++ (typeattributeset cil_gen_require firewalld_t) ++ (allow utype firewalld_t (dbus (send_msg))) ++ (allow firewalld_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_17 ++ (typeattributeset cil_gen_require geoclue_t) ++ (allow utype geoclue_t (dbus (send_msg))) ++ (allow geoclue_t utype (dbus (send_msg))) ++ (allow geoclue_t utype (dir (ioctl read getattr lock open search))) ++ (allow geoclue_t utype (file (ioctl read getattr lock open))) ++ (allow geoclue_t utype (lnk_file (read getattr))) ++ (allow geoclue_t utype (process (getattr))) ++ ) ++ (optional confinedom_graphical_login_optional_18 ++ (typeattributeset cil_gen_require gconfdefaultsm_t) ++ (allow utype gconfdefaultsm_t (dbus (send_msg))) ++ (allow gconfdefaultsm_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_19 ++ (typeattributeset cil_gen_require fprintd_t) ++ (allow utype fprintd_t (dbus (send_msg))) ++ (allow fprintd_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_20 ++ (typeattributeset cil_gen_require fwupd_t) ++ (allow utype fwupd_t (dbus (send_msg))) ++ (allow fwupd_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_21 ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require hwloc_dhwd_exec_t) ++ (typeattributeset cil_gen_require hwloc_var_run_t) ++ (allow utype hwloc_dhwd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype hwloc_var_run_t (dir (getattr open search))) ++ (allow utype hwloc_var_run_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_graphical_login_optional_22 ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require memcached_t) ++ (typeattributeset cil_gen_require memcached_var_run_t) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype memcached_var_run_t (dir (getattr open search))) ++ (allow utype memcached_var_run_t (sock_file (write getattr append open))) ++ (allow utype memcached_t (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_graphical_login_optional_23 ++ (typeattributeset cil_gen_require modemmanager_t) ++ (allow utype modemmanager_t (dbus (send_msg))) ++ (allow modemmanager_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_24 ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require NetworkManager_t) ++ (typeattributeset cil_gen_require NetworkManager_var_lib_t) ++ (allow utype NetworkManager_t (dbus (send_msg))) ++ (allow NetworkManager_t utype (dbus (send_msg))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype NetworkManager_var_lib_t (dir (getattr open search))) ++ (allow utype NetworkManager_var_lib_t (dir (ioctl read getattr lock open search))) ++ (allow utype NetworkManager_var_lib_t (dir (getattr open search))) ++ (allow utype NetworkManager_var_lib_t (file (ioctl read getattr lock open))) ++ (allow utype NetworkManager_var_lib_t (file (map))) ++ ) ++ (optional confinedom_graphical_login_optional_25 ++ (typeattributeset cil_gen_require policykit_t) ++ (allow policykit_t utype (dir (ioctl read getattr lock open search))) ++ (allow policykit_t utype (file (ioctl read getattr lock open))) ++ (allow policykit_t utype (lnk_file (read getattr))) ++ (allow policykit_t utype (process (getattr))) ++ (allow utype policykit_t (dbus (send_msg))) ++ (allow policykit_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_26 ++ (typeattributeset cil_gen_require rpm_t) ++ (allow utype rpm_t (dbus (send_msg))) ++ (allow rpm_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_graphical_login_optional_27 ++ (typeattributeset cil_gen_require vpnc_t) ++ (allow utype vpnc_t (dbus (send_msg))) ++ (allow vpnc_t utype (dbus (send_msg))) ++ ) ++ ) ++ (optional confinedom_graphical_login_optional_28 ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require rpm_var_lib_t) ++ (typeattributeset cil_gen_require rpm_var_cache_t) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype rpm_var_lib_t (dir (ioctl read getattr lock open search))) ++ (allow utype rpm_var_lib_t (dir (getattr open search))) ++ (allow utype rpm_var_lib_t (file (ioctl read getattr lock open))) ++ (allow utype rpm_var_lib_t (dir (getattr open search))) ++ (allow utype rpm_var_lib_t (lnk_file (read getattr))) ++ (allow utype rpm_var_lib_t (file (map))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype rpm_var_cache_t (dir (ioctl read getattr lock open search))) ++ (allow utype rpm_var_cache_t (dir (getattr open search))) ++ (allow utype rpm_var_cache_t (file (ioctl read getattr lock open))) ++ (allow utype rpm_var_cache_t (dir (getattr open search))) ++ (allow utype rpm_var_cache_t (lnk_file (read getattr))) ++ ) ++ (optional confinedom_graphical_login_optional_29 ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require systemd_logind_t) ++ (typeattributeset cil_gen_require systemd_timedated_t) ++ (typeattributeset cil_gen_require systemd_hostnamed_t) ++ (typeattributeset cil_gen_require systemd_localed_t) ++ (typeattributeset cil_gen_require systemd_unit_file_type) ++ (typeattributeset cil_gen_require init_script_file_type) ++ (typeattributeset cil_gen_require systemd_logind_var_run_t) ++ (typeattributeset cil_gen_require systemd_logind_sessions_t) ++ (typeattributeset cil_gen_require init_var_run_t) ++ (typeattributeset cil_gen_require systemd_machined_var_run_t) ++ (typeattributeset cil_gen_require systemd_logind_inhibit_var_run_t) ++ (allow utype systemd_logind_t (dbus (send_msg))) ++ (allow systemd_logind_t utype (dbus (send_msg))) ++ (allow systemd_logind_t utype (dir (ioctl read getattr lock open search))) ++ (allow systemd_logind_t utype (file (ioctl read getattr lock open))) ++ (allow systemd_logind_t utype (lnk_file (read getattr))) ++ (allow systemd_logind_t utype (process (getattr))) ++ (allow systemd_logind_t utype (process (signal))) ++ (allow utype systemd_logind_t (fd (use))) ++ (allow utype systemd_timedated_t (dbus (send_msg))) ++ (allow systemd_timedated_t utype (dbus (send_msg))) ++ (allow systemd_timedated_t utype (dir (ioctl read getattr lock open search))) ++ (allow systemd_timedated_t utype (file (ioctl read getattr lock open))) ++ (allow systemd_timedated_t utype (lnk_file (read getattr))) ++ (allow systemd_timedated_t utype (process (getattr))) ++ (allow utype systemd_hostnamed_t (dbus (send_msg))) ++ (allow systemd_hostnamed_t utype (dbus (send_msg))) ++ (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search))) ++ (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open))) ++ (allow systemd_hostnamed_t utype (lnk_file (read getattr))) ++ (allow systemd_hostnamed_t utype (process (getattr))) ++ (allow utype systemd_localed_t (dbus (send_msg))) ++ (allow systemd_localed_t utype (dbus (send_msg))) ++ (allow systemd_localed_t utype (dir (ioctl read getattr lock open search))) ++ (allow systemd_localed_t utype (file (ioctl read getattr lock open))) ++ (allow systemd_localed_t utype (lnk_file (read getattr))) ++ (allow systemd_localed_t utype (process (getattr))) ++ (allow utype systemd_unit_file_type (service (start stop status reload enable disable))) ++ (allow utype init_script_file_type (service (start stop status reload enable disable))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr watch))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_sessions_t (dir (getattr watch))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_machined_var_run_t (dir (getattr watch))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_sessions_t (dir (ioctl read getattr lock open search))) ++ (allow utype systemd_logind_sessions_t (dir (getattr open search))) ++ (allow utype systemd_logind_sessions_t (file (ioctl read getattr lock open))) ++ (allow utype systemd_logind_inhibit_var_run_t (fifo_file (write))) ++ ) ++ (optional confinedom_graphical_login_optional_30 ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require cupsd_t) ++ (typeattributeset cil_gen_require cupsd_var_run_t) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype cupsd_var_run_t (dir (getattr open search))) ++ (allow utype cupsd_var_run_t (sock_file (write getattr append open))) ++ (allow utype cupsd_t (unix_stream_socket (connectto))) ++ (allow utype cupsd_var_run_t (sock_file (read getattr open))) ++ ) ++ (optional confinedom_graphical_login_optional_31 ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require mount_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require fusermount_exec_t) ++ (typeattributeset cil_gen_require fsadm_t) ++ (typeattributeset cil_gen_require fsadm_exec_t) ++ (typeattributeset cil_gen_require mount_var_run_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole mount_t) ++ (roletype urole fsadm_t) ++ (allow utype fusermount_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype mount_t (process (transition))) ++ (typetransition utype fusermount_exec_t process mount_t) ++ (allow mount_t utype (fd (use))) ++ (allow mount_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow mount_t utype (process (sigchld))) ++ (allow mount_t utype (dir (ioctl read getattr lock open search))) ++ (allow mount_t utype (file (ioctl read getattr lock open))) ++ (allow mount_t utype (lnk_file (read getattr))) ++ (allow mount_t utype (process (getattr))) ++ (allow mount_t utype (unix_stream_socket (read write))) ++ (allow utype mount_t (fd (use))) ++ (allow mount_t bin_t (dir (getattr open search))) ++ (allow mount_t bin_t (lnk_file (read getattr))) ++ (allow mount_t bin_t (dir (getattr open search))) ++ (allow mount_t bin_t (dir (getattr open search))) ++ (allow mount_t fsadm_exec_t (file (ioctl read getattr map execute open))) ++ (allow mount_t fsadm_t (process (transition))) ++ (typetransition mount_t fsadm_exec_t process fsadm_t) ++ (allow fsadm_t mount_t (fd (use))) ++ (allow fsadm_t mount_t (fifo_file (ioctl read write getattr lock append))) ++ (allow fsadm_t mount_t (process (sigchld))) ++ (allow utype mount_var_run_t (dir (getattr open search))) ++ (allow utype mount_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype mount_var_run_t (dir (getattr open search))) ++ (allow utype mount_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ ) ++ (optional confinedom_graphical_login_optional_32 ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require pulseaudio_tmpfsfile) ++ (typeattributeset cil_gen_require pulseaudio_t) ++ (typeattributeset cil_gen_require pulseaudio_exec_t) ++ (typeattributeset cil_gen_require pulseaudio_tmpfs_t) ++ (typeattributeset cil_gen_require user_tmp_type) ++ (typeattributeset cil_gen_require pulseaudio_home_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole user_tmp_t) ++ (roletype urole pulseaudio_t) ++ (allow utype pulseaudio_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype pulseaudio_t (process (transition))) ++ (typetransition utype pulseaudio_exec_t process pulseaudio_t) ++ (allow pulseaudio_t utype (fd (use))) ++ (allow pulseaudio_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow pulseaudio_t utype (process (sigchld))) ++ (allow utype pulseaudio_t (dir (ioctl read getattr lock open search))) ++ (allow utype pulseaudio_t (file (ioctl read getattr lock open))) ++ (allow utype pulseaudio_t (lnk_file (read getattr))) ++ (allow utype pulseaudio_t (process (getattr))) ++ (allow pulseaudio_t utype (process (signull signal))) ++ (allow utype pulseaudio_t (process (sigkill signull signal))) ++ (allow utype pulseaudio_t (process2 (nnp_transition))) ++ (allow pulseaudio_t utype (dir (ioctl read getattr lock open search))) ++ (allow pulseaudio_t utype (file (ioctl read getattr lock open))) ++ (allow pulseaudio_t utype (lnk_file (read getattr))) ++ (allow pulseaudio_t utype (process (getattr))) ++ (allow pulseaudio_t utype (unix_stream_socket (connectto))) ++ (allow utype pulseaudio_t (unix_stream_socket (connectto))) ++ (allow utype pulseaudio_tmpfsfile (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype pulseaudio_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype pulseaudio_tmpfsfile (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype pulseaudio_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (typemember pulseaudio_t tmp_t dir user_tmp_t) ++ (allow pulseaudio_t user_tmp_type (dir (mounton))) ++ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow pulseaudio_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow pulseaudio_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow pulseaudio_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow pulseaudio_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow pulseaudio_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow pulseaudio_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition pulseaudio_t tmp_t fifo_file user_tmp_t) ++ (typetransition pulseaudio_t tmp_t sock_file user_tmp_t) ++ (typetransition pulseaudio_t tmp_t lnk_file user_tmp_t) ++ (typetransition pulseaudio_t tmp_t dir user_tmp_t) ++ (typetransition pulseaudio_t tmp_t file user_tmp_t) ++ (allow user_tmp_t tmpfs_t (filesystem (associate))) ++ (allow pulseaudio_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition pulseaudio_t tmpfs_t fifo_file user_tmp_t) ++ (typetransition pulseaudio_t tmpfs_t sock_file user_tmp_t) ++ (typetransition pulseaudio_t tmpfs_t lnk_file user_tmp_t) ++ (typetransition pulseaudio_t tmpfs_t dir user_tmp_t) ++ (typetransition pulseaudio_t tmpfs_t file user_tmp_t) ++ (allow pulseaudio_t user_tmp_type (dir (getattr open search))) ++ (allow pulseaudio_t user_tmp_type (dir (getattr relabelfrom relabelto))) ++ (allow pulseaudio_t user_tmp_type (dir (getattr open search))) ++ (allow pulseaudio_t user_tmp_type (file (getattr relabelfrom relabelto))) ++ (allow pulseaudio_t user_tmp_type (dir (getattr open search))) ++ (allow pulseaudio_t user_tmp_type (lnk_file (getattr relabelfrom relabelto))) ++ (allow pulseaudio_t user_tmp_type (dir (getattr open search))) ++ (allow pulseaudio_t user_tmp_type (sock_file (getattr relabelfrom relabelto))) ++ (allow pulseaudio_t user_tmp_type (dir (getattr open search))) ++ (allow pulseaudio_t user_tmp_type (fifo_file (getattr relabelfrom relabelto))) ++ (allow pulseaudio_t user_tmp_type (file (map))) ++ (allow utype pulseaudio_t (dbus (send_msg))) ++ (allow pulseaudio_t utype (dbus (acquire_svc send_msg))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (typetransition utype user_home_dir_t file ".esd_auth" pulseaudio_home_t) ++ (typetransition utype user_home_dir_t file ".pulse-cookie" pulseaudio_home_t) ++ (typetransition utype user_home_dir_t dir ".pulse" pulseaudio_home_t) ++ (optional confinedom_graphical_login_optional_33 ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require config_home_t) ++ (allow utype config_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_dir_t (lnk_file (read getattr))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (typetransition utype config_home_t dir "pulse" pulseaudio_home_t) ++ ) ++ ) ++ (optional confinedom_graphical_login_optional_34 ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (typeattributeset cil_gen_require vdagent_log_t) ++ (typeattributeset cil_gen_require vdagent_var_run_t) ++ (typeattributeset cil_gen_require vdagent_t) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_log_t (dir (getattr open search))) ++ (allow utype vdagent_log_t (file (getattr))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype vdagent_var_run_t (dir (getattr open search))) ++ (allow utype vdagent_var_run_t (sock_file (write getattr append open))) ++ (allow utype vdagent_t (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_graphical_login_optional_35 ++ (typeattributeset cil_gen_require proc_t) ++ (typeattributeset cil_gen_require rtkit_daemon_t) ++ (allow rtkit_daemon_t utype (process (getsched setsched))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow rtkit_daemon_t utype (dir (ioctl read getattr lock open search))) ++ (allow rtkit_daemon_t utype (file (ioctl read getattr lock open))) ++ (allow rtkit_daemon_t utype (lnk_file (read getattr))) ++ (allow rtkit_daemon_t utype (process (getattr))) ++ (optional confinedom_graphical_login_optional_36 ++ (typeattributeset cil_gen_require rtkit_daemon_t) ++ (allow utype rtkit_daemon_t (dbus (send_msg))) ++ (allow rtkit_daemon_t utype (dbus (send_msg))) ++ ) ++ ) ++ ) ++) ++ ++(macro confinedom_mozilla_usage_macro ((type utype) (role urole)) ++ (optional confinedom_mozilla_usage_optional ++ (roleattributeset cil_gen_require mozilla_roles) ++ (roleattributeset cil_gen_require urole) ++ (typeattributeset cil_gen_require mozilla_t) ++ (typeattributeset cil_gen_require mozilla_exec_t) ++ (typeattributeset cil_gen_require mozilla_home_t) ++ (typeattributeset cil_gen_require mozilla_tmpfs_t) ++ (typeattributeset cil_gen_require utype) ++ (optional confinedom_mozilla_usage_optional_3 ++ (roleattributeset cil_gen_require mozilla_plugin_roles) ++ (roleattributeset cil_gen_require mozilla_plugin_config_roles) ++ (typeattributeset cil_gen_require mozilla_t) ++ (typeattributeset cil_gen_require mozilla_home_t) ++ (typeattributeset cil_gen_require mozilla_plugin_t) ++ (typeattributeset cil_gen_require mozilla_plugin_exec_t) ++ (typeattributeset cil_gen_require mozilla_plugin_config_t) ++ (typeattributeset cil_gen_require mozilla_plugin_config_exec_t) ++ (typeattributeset cil_gen_require mozilla_plugin_rw_t) ++ (typeattributeset cil_gen_require lib_t) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (roleattributeset cil_gen_require mozilla_plugin_config_roles) ++ (roleattributeset mozilla_plugin_config_roles (urole )) ++ (roleattributeset cil_gen_require mozilla_plugin_roles) ++ (roleattributeset mozilla_plugin_roles (urole )) ++ (allow utype mozilla_t (process (noatsecure siginh rlimitinh))) ++ (allow utype mozilla_t (dir (ioctl read getattr lock open search))) ++ (allow utype mozilla_t (file (ioctl read getattr lock open))) ++ (allow utype mozilla_t (lnk_file (read getattr))) ++ (allow utype mozilla_t (process (getattr))) ++ (allow utype mozilla_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype mozilla_t (fd (use))) ++ (allow utype mozilla_t (shm (getattr associate))) ++ (allow utype mozilla_t (shm (unix_read unix_write))) ++ (allow utype mozilla_t (unix_stream_socket (connectto))) ++ (allow utype mozilla_plugin_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype mozilla_plugin_t (process (transition))) ++ (typetransition utype mozilla_plugin_exec_t process mozilla_plugin_t) ++ (allow mozilla_plugin_t utype (fd (use))) ++ (allow mozilla_plugin_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow mozilla_plugin_t utype (process (sigchld))) ++ (allow utype mozilla_plugin_config_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype mozilla_plugin_config_t (process (transition))) ++ (typetransition utype mozilla_plugin_config_exec_t process mozilla_plugin_config_t) ++ (allow mozilla_plugin_config_t utype (fd (use))) ++ (allow mozilla_plugin_config_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow mozilla_plugin_config_t utype (process (sigchld))) ++ (allow mozilla_plugin_t utype (process (signull))) ++ (dontaudit mozilla_plugin_config_t utype (file (ioctl read getattr lock))) ++ (dontaudit mozilla_plugin_t utype (process (signal))) ++ (allow utype mozilla_plugin_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown connectto))) ++ (allow utype mozilla_plugin_t (fd (use))) ++ (allow mozilla_plugin_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow mozilla_plugin_t utype (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown sendto))) ++ (allow mozilla_plugin_t utype (shm (destroy getattr read write associate unix_read unix_write lock))) ++ (allow mozilla_plugin_t utype (sem (create destroy getattr setattr read write associate unix_read unix_write))) ++ (allow utype mozilla_plugin_t (sem (getattr read write associate unix_read unix_write))) ++ (allow utype mozilla_plugin_t (shm (getattr read write associate unix_read unix_write lock))) ++ (allow utype mozilla_plugin_t (fifo_file (ioctl read write getattr lock append open))) ++ (allow utype mozilla_plugin_t (dir (ioctl read getattr lock open search))) ++ (allow utype mozilla_plugin_t (file (ioctl read getattr lock open))) ++ (allow utype mozilla_plugin_t (lnk_file (read getattr))) ++ (allow utype mozilla_plugin_t (process (getattr))) ++ (allow mozilla_plugin_t utype (dir (ioctl read getattr lock open search))) ++ (allow mozilla_plugin_t utype (file (ioctl read getattr lock open))) ++ (allow mozilla_plugin_t utype (lnk_file (read getattr))) ++ (allow mozilla_plugin_t utype (process (getattr))) ++ (allow utype mozilla_plugin_t (process (sigchld sigkill sigstop signull signal noatsecure))) ++ (allow utype mozilla_plugin_rw_t (dir (getattr open search))) ++ (allow utype mozilla_plugin_rw_t (dir (ioctl read getattr lock open search))) ++ (allow utype mozilla_plugin_rw_t (dir (getattr open search))) ++ (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock open))) ++ (allow utype mozilla_plugin_rw_t (dir (getattr open search))) ++ (allow utype mozilla_plugin_rw_t (lnk_file (read getattr))) ++ (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype mozilla_plugin_t (dbus (send_msg))) ++ (allow mozilla_plugin_t utype (dbus (send_msg))) ++ (allow mozilla_plugin_t utype (process (signull))) ++ (allow utype mozilla_t (dbus (send_msg))) ++ (allow mozilla_t utype (dbus (send_msg))) ++ (allow utype mozilla_plugin_rw_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (typetransition utype user_home_dir_t dir ".webex" mozilla_home_t) ++ (typetransition utype user_home_dir_t file "mozilla.pdf" mozilla_home_t) ++ (typetransition utype user_home_dir_t file ".gnashpluginrc" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".IBMERS" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".lyx" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".juniper_networks" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir "zimbrauserdata" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".ICAClient" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".spicec" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".quakelive" mozilla_home_t) ++ (typetransition utype user_home_dir_t file "abc" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".icedtea" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".icedteaplugin" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".gcjwebplugin" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".grl-podcasts" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".gnash" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".macromedia" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".adobe" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".phoenix" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".netscape" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".thunderbird" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".mozilla" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".java" mozilla_home_t) ++ (typetransition utype user_home_dir_t dir ".galeon" mozilla_home_t) ++ (typetransition utype mozilla_plugin_rw_t file "nswrapper_32_64.nppdf.so" lib_t) ++ (booleanif (deny_ptrace) ++ (false ++ (allow utype mozilla_plugin_t (process (ptrace))) ++ ) ++ ) ++ (optional confinedom_mozilla_usage_optional_4 ++ (roleattributeset cil_gen_require lpr_roles) ++ (typeattributeset cil_gen_require lpr_t) ++ (typeattributeset cil_gen_require lpr_exec_t) ++ (roleattributeset cil_gen_require lpr_roles) ++ (roleattributeset lpr_roles (urole )) ++ (allow mozilla_plugin_t lpr_exec_t (file (ioctl read getattr map execute open))) ++ (allow mozilla_plugin_t lpr_t (process (transition))) ++ (typetransition mozilla_plugin_t lpr_exec_t process lpr_t) ++ (allow lpr_t mozilla_plugin_t (fd (use))) ++ (allow lpr_t mozilla_plugin_t (fifo_file (ioctl read write getattr lock append))) ++ (allow lpr_t mozilla_plugin_t (process (sigchld))) ++ ) ++ (optional confinedom_mozilla_usage_optional_5 ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require cache_home_t) ++ (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_dir_t (lnk_file (read getattr))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_dir_t (lnk_file (read getattr))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (typetransition utype cache_home_t dir "icedtea-web" mozilla_home_t) ++ (typetransition utype cache_home_t dir "mozilla" mozilla_home_t) ++ ) ++ ) ++ ) ++) ++ ++(macro confinedom_networking_macro ((type utype) (role urole)) ++ (optional confinedom_networking_optional_2 ++ (roleattributeset cil_gen_require urole) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require ping_t) ++ (typeattributeset cil_gen_require ping_exec_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require traceroute_t) ++ (typeattributeset cil_gen_require traceroute_exec_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole ping_t) ++ (roletype urole traceroute_t) ++ (booleanif (selinuxuser_ping) ++ (true ++ (allow utype ping_t (process (sigkill signal))) ++ (allow ping_t utype (process (sigchld))) ++ (allow ping_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow ping_t utype (fd (use))) ++ (typetransition utype ping_exec_t process ping_t) ++ (allow utype ping_t (process (transition))) ++ (allow utype ping_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype traceroute_t (process (sigkill signal))) ++ (allow traceroute_t utype (process (sigchld))) ++ (allow traceroute_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow traceroute_t utype (fd (use))) ++ (typetransition utype traceroute_exec_t process traceroute_t) ++ (allow utype traceroute_t (process (transition))) ++ (allow utype traceroute_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ ) ++ ) ++ ) ++) ++ ++(macro confinedom_security_advanced_macro ((type utype) (role urole) (type sudo_type) (type userhelper_type)) ++ (optional confinedom_security_advanced_optional_2 ++ (roleattributeset cil_gen_require urole) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require sudo_type) ++ (typeattributeset cil_gen_require auditd_log_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require auditd_etc_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require can_setenforce) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require secure_mode_policyload_t) ++ (typeattributeset cil_gen_require boolean_type) ++ (typeattributeset cil_gen_require can_setbool) ++ (typeattributeset cil_gen_require semanage_t) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require semanage_store_t) ++ (typeattributeset cil_gen_require selinux_login_config_t) ++ (typeattributeset cil_gen_require semanage_exec_t) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require setfiles_t) ++ (typeattributeset cil_gen_require setfiles_exec_t) ++ (typeattributeset cil_gen_require load_policy_t) ++ (typeattributeset cil_gen_require load_policy_exec_t) ++ (typeattributeset cil_gen_require newrole_t) ++ (typeattributeset cil_gen_require newrole_exec_t) ++ (typeattributeset cil_gen_require updpwd_t) ++ (typeattributeset cil_gen_require updpwd_exec_t) ++ (typeattributeset cil_gen_require shadow_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole semanage_t) ++ (roletype urole setfiles_t) ++ (roletype urole load_policy_t) ++ (roletype urole newrole_t) ++ (roletype urole updpwd_t) ++ (typeattributeset cil_gen_require can_setbool) ++ (typeattributeset can_setbool (utype )) ++ (typeattributeset cil_gen_require can_setenforce) ++ (typeattributeset can_setenforce (utype )) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype auditd_log_t (dir (getattr open search))) ++ (allow utype auditd_log_t (file (ioctl read getattr lock open))) ++ (allow utype auditd_log_t (dir (getattr open search))) ++ (allow utype auditd_log_t (lnk_file (read getattr))) ++ (allow utype auditd_log_t (dir (ioctl read getattr lock open search))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype auditd_etc_t (dir (getattr open search))) ++ (allow utype auditd_etc_t (file (ioctl read getattr lock open))) ++ (allow utype auditd_etc_t (dir (ioctl read getattr lock open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype security_t (file (ioctl read write getattr lock append open))) ++ (allow utype sysfs_t (filesystem (getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype boolean_type (dir (ioctl read getattr lock open search))) ++ (allow utype boolean_type (file (ioctl read write getattr lock append open))) ++ (allow semanage_t utype (dir (ioctl read getattr lock open search))) ++ (allow semanage_t utype (file (ioctl read getattr lock open))) ++ (allow semanage_t utype (lnk_file (read getattr))) ++ (allow semanage_t utype (process (getattr))) ++ (allow utype semanage_t (dbus (send_msg))) ++ (allow semanage_t utype (dbus (send_msg))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype semanage_store_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype semanage_store_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype selinux_config_t (dir (getattr open search))) ++ (allow utype selinux_login_config_t (dir (ioctl read getattr lock open search))) ++ (allow utype selinux_login_config_t (dir (getattr open search))) ++ (allow utype selinux_login_config_t (file (ioctl read getattr lock open))) ++ (allow utype selinux_login_config_t (dir (getattr open search))) ++ (allow utype selinux_login_config_t (lnk_file (read getattr))) ++ (allow sudo_type usr_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type semanage_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type semanage_t (process (transition))) ++ (typetransition sudo_type semanage_exec_t process semanage_t) ++ (allow semanage_t sudo_type (fd (use))) ++ (allow semanage_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow semanage_t sudo_type (process (sigchld))) ++ (allow semanage_t usr_t (dir (getattr open search))) ++ (allow semanage_t bin_t (dir (getattr open search))) ++ (allow semanage_t bin_t (lnk_file (read getattr))) ++ (allow semanage_t bin_t (dir (getattr open search))) ++ (allow semanage_t bin_t (dir (getattr open search))) ++ (allow semanage_t setfiles_exec_t (file (ioctl read getattr map execute open))) ++ (allow semanage_t setfiles_t (process (transition))) ++ (typetransition semanage_t setfiles_exec_t process setfiles_t) ++ (allow setfiles_t semanage_t (fd (use))) ++ (allow setfiles_t semanage_t (fifo_file (ioctl read write getattr lock append))) ++ (allow setfiles_t semanage_t (process (sigchld))) ++ (allow semanage_t bin_t (dir (getattr open search))) ++ (allow semanage_t bin_t (lnk_file (read getattr))) ++ (allow semanage_t bin_t (dir (getattr open search))) ++ (allow semanage_t bin_t (dir (getattr open search))) ++ (allow semanage_t load_policy_exec_t (file (ioctl read getattr map execute open))) ++ (allow semanage_t load_policy_t (process (transition))) ++ (typetransition semanage_t load_policy_exec_t process load_policy_t) ++ (allow load_policy_t semanage_t (fd (use))) ++ (allow load_policy_t semanage_t (fifo_file (ioctl read write getattr lock append))) ++ (allow load_policy_t semanage_t (process (sigchld))) ++ (allow utype usr_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype newrole_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype newrole_t (process (transition))) ++ (typetransition utype newrole_exec_t process newrole_t) ++ (allow newrole_t utype (fd (use))) ++ (allow newrole_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow newrole_t utype (process (sigchld))) ++ (allow newrole_t updpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow newrole_t updpwd_t (process (transition))) ++ (typetransition newrole_t updpwd_exec_t process updpwd_t) ++ (allow updpwd_t newrole_t (fd (use))) ++ (allow updpwd_t newrole_t (fifo_file (ioctl read write getattr lock append))) ++ (allow updpwd_t newrole_t (process (sigchld))) ++ (dontaudit newrole_t shadow_t (file (ioctl read getattr lock open))) ++ (allow sudo_type usr_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type setfiles_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type setfiles_t (process (transition))) ++ (typetransition sudo_type setfiles_exec_t process setfiles_t) ++ (allow setfiles_t sudo_type (fd (use))) ++ (allow setfiles_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow setfiles_t sudo_type (process (sigchld))) ++ (typetransition utype selinux_config_t dir "tmp" semanage_store_t) ++ (typetransition utype selinux_config_t dir "previous" semanage_store_t) ++ (typetransition utype selinux_config_t dir "active" semanage_store_t) ++ (typetransition utype selinux_config_t dir "modules" semanage_store_t) ++ (optional confinedom_security_advanced_optional_3 ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require setfiles_t) ++ (typeattributeset cil_gen_require setfiles_exec_t) ++ (typeattributeset cil_gen_require namespace_init_t) ++ (typeattributeset cil_gen_require namespace_init_exec_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole setfiles_t) ++ (roletype urole namespace_init_t) ++ (allow newrole_t namespace_init_exec_t (file (ioctl read getattr map execute open))) ++ (allow newrole_t namespace_init_t (process (transition))) ++ (typetransition newrole_t namespace_init_exec_t process namespace_init_t) ++ (allow namespace_init_t newrole_t (fd (use))) ++ (allow namespace_init_t newrole_t (fifo_file (ioctl read write getattr lock append))) ++ (allow namespace_init_t newrole_t (process (sigchld))) ++ (allow namespace_init_t usr_t (dir (getattr open search))) ++ (allow namespace_init_t bin_t (dir (getattr open search))) ++ (allow namespace_init_t bin_t (lnk_file (read getattr))) ++ (allow namespace_init_t bin_t (dir (getattr open search))) ++ (allow namespace_init_t bin_t (dir (getattr open search))) ++ (allow namespace_init_t setfiles_exec_t (file (ioctl read getattr map execute open))) ++ (allow namespace_init_t setfiles_t (process (transition))) ++ (typetransition namespace_init_t setfiles_exec_t process setfiles_t) ++ (allow setfiles_t namespace_init_t (fd (use))) ++ (allow setfiles_t namespace_init_t (fifo_file (ioctl read write getattr lock append))) ++ (allow setfiles_t namespace_init_t (process (sigchld))) ++ ) ++ (optional confinedom_security_advanced_optional_4 ++ (roletype object_r userhelper_type) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require updpwd_t) ++ (typeattributeset cil_gen_require updpwd_exec_t) ++ (typeattributeset cil_gen_require shadow_t) ++ (typeattributeset cil_gen_require userhelper_type) ++ (typeattributeset cil_gen_require userhelper_exec_t) ++ (typeattributeset cil_gen_require userhelper_conf_t) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require can_change_process_role) ++ (typeattributeset cil_gen_require can_change_object_identity) ++ (typeattributeset cil_gen_require privfd) ++ (typeattributeset cil_gen_require can_change_process_identity) ++ (typeattributeset cil_gen_require sysctl_type) ++ (typeattributeset cil_gen_require proc_t) ++ (typeattributeset cil_gen_require proc_net_t) ++ (typeattributeset cil_gen_require debugfs_t) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require urandom_device_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require etc_runtime_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require autofs_t) ++ (typeattributeset cil_gen_require nfs_t) ++ (typeattributeset cil_gen_require devpts_t) ++ (typeattributeset cil_gen_require ttynode) ++ (typeattributeset cil_gen_require ptynode) ++ (typeattributeset cil_gen_require chkpwd_t) ++ (typeattributeset cil_gen_require chkpwd_exec_t) ++ (typeattributeset cil_gen_require auth_cache_t) ++ (typeattributeset cil_gen_require random_device_t) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require faillog_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (typeattributeset cil_gen_require cert_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require pam_var_run_t) ++ (typeattributeset cil_gen_require var_auth_t) ++ (typeattributeset cil_gen_require pam_var_console_t) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require initrc_var_run_t) ++ (typeattributeset cil_gen_require default_context_t) ++ (typeattributeset cil_gen_require unpriv_userdomain) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole userhelper_type) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (userhelper_type )) ++ (typeattributeset cil_gen_require can_change_process_identity) ++ (typeattributeset can_change_process_identity (userhelper_type )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (userhelper_type )) ++ (typeattributeset cil_gen_require privfd) ++ (typeattributeset privfd (userhelper_type )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (userhelper_type )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (userhelper_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (userhelper_exec_t )) ++ (typeattributeset cil_gen_require can_change_object_identity) ++ (typeattributeset can_change_object_identity (userhelper_type )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (userhelper_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (userhelper_type )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (userhelper_type )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (userhelper_type )) ++ (typeattributeset cil_gen_require can_change_process_role) ++ (typeattributeset can_change_process_role (userhelper_type )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (userhelper_exec_t )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (userhelper_type )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (userhelper_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (userhelper_exec_t )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (userhelper_type )) ++ (typeattributeset cil_gen_require userhelper_type) ++ (allow userhelper_type userhelper_exec_t (file (entrypoint))) ++ (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow userhelper_type self (capability (chown dac_read_search setgid setuid net_bind_service sys_tty_config))) ++ (allow userhelper_type self (process (fork transition sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit))) ++ (allow userhelper_type self (process (setexec))) ++ (allow userhelper_type self (fd (use))) ++ (allow userhelper_type self (fifo_file (ioctl read write getattr lock append open))) ++ (allow userhelper_type self (shm (create destroy getattr setattr read write associate unix_read unix_write lock))) ++ (allow userhelper_type self (sem (create destroy getattr setattr read write associate unix_read unix_write))) ++ (allow userhelper_type self (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue))) ++ (allow userhelper_type self (msg (send receive))) ++ (allow userhelper_type self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow userhelper_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) ++ (allow userhelper_type self (unix_dgram_socket (sendto))) ++ (allow userhelper_type self (unix_stream_socket (connectto))) ++ (allow userhelper_type self (sock_file (read getattr open))) ++ (allow utype userhelper_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype userhelper_type (process (transition))) ++ (typetransition utype userhelper_exec_t process userhelper_type) ++ (allow userhelper_type utype (fd (use))) ++ (allow userhelper_type utype (fifo_file (ioctl read write getattr lock append))) ++ (allow userhelper_type utype (process (sigchld))) ++ (allow userhelper_type userhelper_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type userhelper_conf_t (dir (getattr open search))) ++ (allow userhelper_type userhelper_conf_t (file (ioctl read write getattr lock append open))) ++ (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (dontaudit utype userhelper_type (process (signal))) ++ (allow userhelper_type sysctl_type (dir (getattr open search))) ++ (allow userhelper_type proc_t (dir (getattr open search))) ++ (allow userhelper_type proc_net_t (dir (getattr open search))) ++ (allow userhelper_type sysctl_type (file (ioctl read getattr lock open))) ++ (allow userhelper_type proc_t (dir (getattr open search))) ++ (allow userhelper_type proc_net_t (dir (getattr open search))) ++ (allow userhelper_type sysctl_type (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type debugfs_t (filesystem (getattr))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow userhelper_type shell_exec_t (file (map))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type utype (process (transition))) ++ (allow userhelper_type usr_t (dir (getattr open search))) ++ (allow userhelper_type usr_t (lnk_file (read getattr))) ++ (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type utype (process (transition))) ++ (typetransition userhelper_type bin_t process utype) ++ (typetransition userhelper_type usr_t process utype) ++ (allow userhelper_type privfd (fd (use))) ++ (allow userhelper_type privfd (process (sigchld))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_lib_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type etc_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type etc_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type etc_t (lnk_file (read getattr))) ++ (allow userhelper_type etc_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type etc_runtime_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type etc_runtime_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type home_root_t (dir (getattr open search))) ++ (allow userhelper_type home_root_t (lnk_file (read getattr))) ++ (allow userhelper_type autofs_t (dir (getattr open search))) ++ (allow userhelper_type autofs_t (dir (getattr open search))) ++ (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type nfs_t (dir (getattr open search))) ++ (allow userhelper_type nfs_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type nfs_t (dir (getattr open search))) ++ (allow userhelper_type nfs_t (lnk_file (read getattr))) ++ (allow userhelper_type security_t (lnk_file (read getattr))) ++ (allow userhelper_type sysfs_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type security_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type security_t (lnk_file (read getattr))) ++ (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type security_t (file (ioctl read write getattr lock append map open))) ++ (allow userhelper_type security_t (security (check_context))) ++ (allow userhelper_type sysfs_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type security_t (lnk_file (read getattr))) ++ (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) ++ (allow userhelper_type security_t (security (compute_av))) ++ (allow userhelper_type sysfs_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type security_t (lnk_file (read getattr))) ++ (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) ++ (allow userhelper_type security_t (security (compute_create))) ++ (allow userhelper_type sysfs_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type security_t (lnk_file (read getattr))) ++ (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) ++ (allow userhelper_type security_t (security (compute_relabel))) ++ (allow userhelper_type sysfs_t (filesystem (getattr))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type sysfs_t (dir (getattr open search))) ++ (allow userhelper_type security_t (lnk_file (read getattr))) ++ (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) ++ (allow userhelper_type security_t (security (compute_user))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (lnk_file (read getattr))) ++ (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (lnk_file (read getattr))) ++ (allow userhelper_type ttynode (chr_file (getattr relabelfrom relabelto))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (lnk_file (read getattr))) ++ (allow userhelper_type devpts_t (dir (getattr open search))) ++ (allow userhelper_type devpts_t (chr_file (getattr relabelfrom relabelto))) ++ (allow userhelper_type ptynode (chr_file (getattr relabelfrom relabelto))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (lnk_file (read getattr))) ++ (allow userhelper_type ttynode (chr_file (ioctl read write getattr lock append open))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type device_t (lnk_file (read getattr))) ++ (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type ptynode (chr_file (ioctl read write getattr lock append open))) ++ (allow userhelper_type auth_cache_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type chkpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type chkpwd_t (process (transition))) ++ (typetransition userhelper_type chkpwd_exec_t process chkpwd_t) ++ (allow chkpwd_t userhelper_type (fd (use))) ++ (allow chkpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append))) ++ (allow chkpwd_t userhelper_type (process (sigchld))) ++ (allow userhelper_type chkpwd_exec_t (file (map))) ++ (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type random_device_t (chr_file (ioctl read getattr lock open))) ++ (allow userhelper_type device_t (dir (getattr open search))) ++ (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_log_t (dir (getattr open search))) ++ (allow userhelper_type faillog_t (dir (getattr open search))) ++ (allow userhelper_type faillog_t (file (ioctl read write getattr lock append open))) ++ (allow userhelper_type self (capability (audit_write))) ++ (allow userhelper_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) ++ (allow userhelper_type cert_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type cert_t (dir (getattr open search))) ++ (allow userhelper_type cert_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type cert_t (dir (getattr open search))) ++ (allow userhelper_type cert_t (lnk_file (read getattr))) ++ (allow userhelper_type updpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type updpwd_t (process (transition))) ++ (typetransition userhelper_type updpwd_exec_t process updpwd_t) ++ (allow updpwd_t userhelper_type (fd (use))) ++ (allow updpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append))) ++ (allow updpwd_t userhelper_type (process (sigchld))) ++ (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type var_run_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (getattr open search))) ++ (allow userhelper_type pam_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow userhelper_type pam_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_auth_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_auth_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type var_auth_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type var_run_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (getattr open search))) ++ (allow userhelper_type pam_var_console_t (dir (getattr open search))) ++ (allow userhelper_type init_t (fd (use))) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type var_run_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (getattr open search))) ++ (allow userhelper_type initrc_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type selinux_config_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type selinux_config_t (dir (getattr open search))) ++ (allow userhelper_type selinux_config_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type selinux_config_t (dir (getattr open search))) ++ (allow userhelper_type selinux_config_t (lnk_file (read getattr))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type selinux_config_t (dir (getattr open search))) ++ (allow userhelper_type default_context_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type default_context_t (dir (getattr open search))) ++ (allow userhelper_type default_context_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type unpriv_userdomain (process (transition))) ++ (allow userhelper_type usr_t (dir (getattr open search))) ++ (allow userhelper_type usr_t (lnk_file (read getattr))) ++ (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type unpriv_userdomain (process (transition))) ++ (allow unpriv_userdomain userhelper_type (fd (use))) ++ (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow unpriv_userdomain userhelper_type (process (sigchld))) ++ (allow userhelper_type entry_type (file (ioctl read getattr map execute open))) ++ (allow userhelper_type unpriv_userdomain (process (transition))) ++ (allow unpriv_userdomain userhelper_type (fd (use))) ++ (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow unpriv_userdomain userhelper_type (process (sigchld))) ++ (typetransition userhelper_type var_run_t file "utmp" initrc_var_run_t) ++ (typetransition userhelper_type var_run_t dir "sudo" pam_var_run_t) ++ (typetransition userhelper_type var_run_t dir "sepermit" pam_var_run_t) ++ (typetransition userhelper_type var_run_t dir "pam_timestamp" pam_var_run_t) ++ (typetransition userhelper_type var_run_t dir "pam_ssh" pam_var_run_t) ++ (typetransition userhelper_type var_run_t dir "pam_mount" pam_var_run_t) ++ (optional confinedom_security_advanced_optional_5 ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require krb5_keytab_t) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type krb5_keytab_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type krb5_keytab_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_security_advanced_optional_6 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require pcscd_var_run_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require pcscd_t) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type var_run_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (getattr open search))) ++ (allow userhelper_type pcscd_var_run_t (dir (getattr open search))) ++ (allow userhelper_type pcscd_var_run_t (file (ioctl read getattr lock open))) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type var_run_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (getattr open search))) ++ (allow userhelper_type pcscd_var_run_t (dir (getattr open search))) ++ (allow userhelper_type pcscd_var_run_t (sock_file (write getattr append open))) ++ (allow userhelper_type pcscd_t (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_security_advanced_optional_7 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require samba_var_t) ++ (typeattributeset cil_gen_require winbind_t) ++ (typeattributeset cil_gen_require winbind_var_run_t) ++ (typeattributeset cil_gen_require smbd_var_run_t) ++ (typeattributeset cil_gen_require samba_etc_t) ++ (allow userhelper_type var_t (lnk_file (read getattr))) ++ (allow userhelper_type var_run_t (lnk_file (read getattr))) ++ (allow userhelper_type var_t (dir (getattr open search))) ++ (allow userhelper_type var_run_t (dir (getattr open search))) ++ (allow userhelper_type smbd_var_run_t (dir (getattr open search))) ++ (allow userhelper_type samba_var_t (dir (getattr open search))) ++ (allow userhelper_type winbind_var_run_t (dir (getattr open search))) ++ (allow userhelper_type winbind_var_run_t (sock_file (write getattr append open))) ++ (allow userhelper_type winbind_t (unix_stream_socket (connectto))) ++ (allow userhelper_type etc_t (dir (getattr open search))) ++ (allow userhelper_type samba_etc_t (dir (getattr open search))) ++ (allow userhelper_type samba_etc_t (dir (ioctl read getattr lock open search))) ++ (allow userhelper_type samba_etc_t (dir (getattr open search))) ++ (allow userhelper_type samba_etc_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_security_advanced_optional_8 ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require rpm_t) ++ (typeattributeset cil_gen_require rpm_exec_t) ++ (typeattributeset cil_gen_require rpm_transition_domain) ++ (typeattributeset cil_gen_require debuginfo_exec_t) ++ (typeattributeset cil_gen_require rpm_transition_domain) ++ (typeattributeset rpm_transition_domain (userhelper_type )) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type rpm_exec_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type rpm_t (process (transition))) ++ (typetransition userhelper_type rpm_exec_t process rpm_t) ++ (allow rpm_t userhelper_type (fd (use))) ++ (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append))) ++ (allow rpm_t userhelper_type (process (sigchld))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ (allow userhelper_type debuginfo_exec_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type rpm_t (process (transition))) ++ (typetransition userhelper_type debuginfo_exec_t process rpm_t) ++ (allow rpm_t userhelper_type (fd (use))) ++ (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append))) ++ (allow rpm_t userhelper_type (process (sigchld))) ++ (allow userhelper_type debuginfo_exec_t (dir (getattr open search))) ++ (allow userhelper_type debuginfo_exec_t (lnk_file (read getattr))) ++ ) ++ (optional confinedom_security_advanced_optional_9 ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require sysadm_t) ++ (booleanif (secure_mode) ++ (false ++ (allow sysadm_t userhelper_type (process (sigchld))) ++ (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow sysadm_t userhelper_type (fd (use))) ++ (allow userhelper_type sysadm_t (process (transition))) ++ (allow userhelper_type entry_type (file (ioctl read getattr map execute open))) ++ (allow sysadm_t userhelper_type (process (sigchld))) ++ (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow sysadm_t userhelper_type (fd (use))) ++ (allow userhelper_type sysadm_t (process (transition))) ++ (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type usr_t (lnk_file (read getattr))) ++ (allow userhelper_type usr_t (dir (getattr open search))) ++ (allow userhelper_type sysadm_t (process (transition))) ++ (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) ++ (allow userhelper_type bin_t (lnk_file (read getattr))) ++ (allow userhelper_type bin_t (dir (getattr open search))) ++ ) ++ ) ++ ) ++ ) ++ ) ++) ++ ++(macro confinedom_security_basic_macro ((type utype) (role urole)) ++ (optional confinedom_security_basic_optional_2 ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require can_load_policy) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require can_load_policy) ++ (typeattributeset can_load_policy (utype )) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype security_t (file (ioctl read write getattr lock append open))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype security_t (file (ioctl read getattr lock open))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype security_t (security (read_policy))) ++ ) ++) ++ ++(macro confinedom_sudo_macro ((type utype) (role urole) (type sudo_type) (type sudo_tmp_type)) ++ (optional confinedom_sudo_optional ++ ;(type sudo_type) ++ (roletype object_r sudo_type) ++ ;(type sudo_tmp_type) ++ (roletype object_r sudo_tmp_type) ++ (roleattributeset cil_gen_require urole) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require sudo_type) ++ (typeattributeset cil_gen_require kernel_t) ++ (typeattributeset cil_gen_require sudo_exec_t) ++ (typeattributeset cil_gen_require sudo_db_t) ++ (typeattributeset cil_gen_require sudodomain) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require privfd) ++ (typeattributeset cil_gen_require can_change_process_role) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset cil_gen_require tmpfile) ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require polymember) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require user_home_t) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require chkpwd_t) ++ (typeattributeset cil_gen_require chkpwd_exec_t) ++ (typeattributeset cil_gen_require shadow_t) ++ (typeattributeset cil_gen_require auth_cache_t) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require random_device_t) ++ (typeattributeset cil_gen_require urandom_device_t) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require faillog_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require cert_t) ++ (typeattributeset cil_gen_require updpwd_t) ++ (typeattributeset cil_gen_require updpwd_exec_t) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require syslogd_var_run_t) ++ (typeattributeset cil_gen_require devpts_t) ++ (typeattributeset cil_gen_require sshd_devpts_t) ++ (typeattributeset cil_gen_require systemd_unit_file_type) ++ (typeattributeset cil_gen_require init_script_file_type) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole sudo_type) ++ (roletype urole chkpwd_t) ++ (roletype urole updpwd_t) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (sudo_type )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (sudo_type )) ++ (typeattributeset cil_gen_require privfd) ++ (typeattributeset privfd (sudo_type )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (sudo_type )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (sudo_exec_t sudo_tmp_type )) ++ (typeattributeset cil_gen_require tmpfile) ++ (typeattributeset tmpfile (sudo_tmp_type )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (sudo_exec_t sudo_tmp_type )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (sudo_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (sudo_type )) ++ (typeattributeset cil_gen_require polymember) ++ (typeattributeset polymember (sudo_tmp_type )) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset userdom_home_manager_type (sudo_type )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (sudo_type )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (sudo_type )) ++ (typeattributeset cil_gen_require can_change_process_role) ++ (typeattributeset can_change_process_role (sudo_type )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (sudo_exec_t )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (sudo_type )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (sudo_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (sudo_exec_t sudo_tmp_type )) ++ (typeattributeset cil_gen_require sudodomain) ++ (typeattributeset sudodomain (sudo_type )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (sudo_type )) ++ (allow sudo_type kernel_t (system (module_request))) ++ (allow sudo_type sudo_exec_t (file (entrypoint))) ++ (allow sudo_type sudo_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow sudo_type sudo_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition sudo_type tmp_t file sudo_tmp_type) ++ (allow sudo_type utype (dir (getattr open search))) ++ (allow sudo_type utype (file (ioctl read getattr lock open))) ++ (allow sudo_type utype (key (search))) ++ (allow sudo_type utype (unix_stream_socket (read write connectto))) ++ (allow utype sudo_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype sudo_type (process (transition))) ++ (typetransition utype sudo_exec_t process sudo_type) ++ (allow sudo_type utype (fd (use))) ++ (allow sudo_type utype (fifo_file (ioctl read write getattr lock append))) ++ (allow sudo_type utype (process (sigchld))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type shell_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (typetransition sudo_type shell_exec_t process utype) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (allow sudo_type usr_t (dir (getattr open search))) ++ (allow sudo_type usr_t (lnk_file (read getattr))) ++ (allow sudo_type usr_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (typetransition sudo_type bin_t process utype) ++ (typetransition sudo_type usr_t process utype) ++ (allow sudo_type user_home_t (dir (getattr open search))) ++ (allow sudo_type user_home_t (lnk_file (read getattr))) ++ (allow sudo_type user_home_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (typetransition sudo_type user_home_t process utype) ++ (allow sudo_type tmpfs_t (dir (getattr open search))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type tmp_t (lnk_file (read getattr))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type user_tmp_t (dir (getattr open search))) ++ (allow sudo_type user_tmp_t (lnk_file (read getattr))) ++ (allow sudo_type user_tmp_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (typetransition sudo_type user_tmp_t process utype) ++ (allow utype sudo_exec_t (file (entrypoint))) ++ (allow utype sudo_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow sudo_type sudo_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (typetransition sudo_type sudo_exec_t process utype) ++ (allow utype sudo_type (fd (use))) ++ (allow utype sudo_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow utype sudo_type (process (sigchld sigkill sigstop signull signal))) ++ (allow sudo_type security_t (lnk_file (read getattr))) ++ (allow sudo_type sysfs_t (filesystem (getattr))) ++ (allow sudo_type sysfs_t (dir (getattr open search))) ++ (allow sudo_type sysfs_t (dir (getattr open search))) ++ (allow sudo_type security_t (filesystem (getattr))) ++ (allow sudo_type etc_t (dir (getattr open search))) ++ (allow sudo_type selinux_config_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type selinux_config_t (dir (getattr open search))) ++ (allow sudo_type selinux_config_t (file (ioctl read getattr lock open))) ++ (allow sudo_type selinux_config_t (dir (getattr open search))) ++ (allow sudo_type selinux_config_t (lnk_file (read getattr))) ++ (allow sudo_type auth_cache_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type chkpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type chkpwd_t (process (transition))) ++ (typetransition sudo_type chkpwd_exec_t process chkpwd_t) ++ (allow chkpwd_t sudo_type (fd (use))) ++ (allow chkpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow chkpwd_t sudo_type (process (sigchld))) ++ (allow sudo_type chkpwd_exec_t (file (map))) ++ (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) ++ (allow sudo_type device_t (dir (getattr open search))) ++ (allow sudo_type random_device_t (chr_file (ioctl read getattr lock open))) ++ (allow sudo_type device_t (dir (getattr open search))) ++ (allow sudo_type urandom_device_t (chr_file (ioctl read getattr lock open))) ++ (allow sudo_type var_t (dir (getattr open search))) ++ (allow sudo_type var_log_t (dir (getattr open search))) ++ (allow sudo_type faillog_t (dir (getattr open search))) ++ (allow sudo_type faillog_t (file (ioctl read write getattr lock append open))) ++ (allow sudo_type self (capability (audit_write))) ++ (allow sudo_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) ++ (allow sudo_type cert_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type cert_t (dir (getattr open search))) ++ (allow sudo_type cert_t (file (ioctl read getattr lock open))) ++ (allow sudo_type cert_t (dir (getattr open search))) ++ (allow sudo_type cert_t (lnk_file (read getattr))) ++ (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type updpwd_t (process (transition))) ++ (typetransition sudo_type updpwd_exec_t process updpwd_t) ++ (allow updpwd_t sudo_type (fd (use))) ++ (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow updpwd_t sudo_type (process (sigchld))) ++ (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) ++ (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type updpwd_t (process (transition))) ++ (typetransition sudo_type updpwd_exec_t process updpwd_t) ++ (allow updpwd_t sudo_type (fd (use))) ++ (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow updpwd_t sudo_type (process (sigchld))) ++ (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) ++ (allow sudo_type syslogd_var_run_t (dir (getattr open search))) ++ (allow sudo_type syslogd_var_run_t (file (ioctl read getattr lock open map))) ++ (allow sudo_type syslogd_var_run_t (dir (getattr open search))) ++ (allow sudo_type syslogd_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type device_t (dir (getattr open search))) ++ (allow sudo_type device_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type device_t (dir (getattr open search))) ++ (allow sudo_type device_t (lnk_file (read getattr))) ++ (allow sudo_type devpts_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type devpts_t (chr_file (ioctl read write getattr lock append open))) ++ (allow sudo_type devpts_t (chr_file (setattr))) ++ (allow sudo_type sshd_devpts_t (chr_file (ioctl read write getattr lock append))) ++ (allow sudo_type systemd_unit_file_type (service (start stop status reload enable disable))) ++ (allow sudo_type init_script_file_type (service (start stop status reload enable disable))) ++ (optional confinedom_sudo_optional_3 ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require krb5_keytab_t) ++ (allow sudo_type etc_t (dir (getattr open search))) ++ (allow sudo_type krb5_keytab_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type krb5_keytab_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_sudo_optional_4 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require pcscd_var_run_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require pcscd_t) ++ (allow sudo_type var_t (lnk_file (read getattr))) ++ (allow sudo_type var_run_t (lnk_file (read getattr))) ++ (allow sudo_type var_t (dir (getattr open search))) ++ (allow sudo_type var_run_t (dir (getattr open search))) ++ (allow sudo_type pcscd_var_run_t (dir (getattr open search))) ++ (allow sudo_type pcscd_var_run_t (file (ioctl read getattr lock open))) ++ (allow sudo_type var_t (lnk_file (read getattr))) ++ (allow sudo_type var_run_t (lnk_file (read getattr))) ++ (allow sudo_type var_t (dir (getattr open search))) ++ (allow sudo_type var_run_t (dir (getattr open search))) ++ (allow sudo_type pcscd_var_run_t (dir (getattr open search))) ++ (allow sudo_type pcscd_var_run_t (sock_file (write getattr append open))) ++ (allow sudo_type pcscd_t (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_sudo_optional_5 ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require samba_var_t) ++ (typeattributeset cil_gen_require winbind_t) ++ (typeattributeset cil_gen_require winbind_var_run_t) ++ (typeattributeset cil_gen_require smbd_var_run_t) ++ (typeattributeset cil_gen_require samba_etc_t) ++ (allow sudo_type var_t (lnk_file (read getattr))) ++ (allow sudo_type var_run_t (lnk_file (read getattr))) ++ (allow sudo_type var_t (dir (getattr open search))) ++ (allow sudo_type var_run_t (dir (getattr open search))) ++ (allow sudo_type smbd_var_run_t (dir (getattr open search))) ++ (allow sudo_type samba_var_t (dir (getattr open search))) ++ (allow sudo_type winbind_var_run_t (dir (getattr open search))) ++ (allow sudo_type winbind_var_run_t (sock_file (write getattr append open))) ++ (allow sudo_type winbind_t (unix_stream_socket (connectto))) ++ (allow sudo_type etc_t (dir (getattr open search))) ++ (allow sudo_type samba_etc_t (dir (getattr open search))) ++ (allow sudo_type samba_etc_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type samba_etc_t (dir (getattr open search))) ++ (allow sudo_type samba_etc_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_sudo_optional_6 ++ (typeattributeset cil_gen_require mta_user_agent) ++ (typeattributeset cil_gen_require user_mail_t) ++ (typeattributeset cil_gen_require sendmail_exec_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole mta_user_agent) ++ (roletype urole user_mail_t) ++ (allow sudo_type sendmail_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type user_mail_t (process (transition))) ++ (typetransition sudo_type sendmail_exec_t process user_mail_t) ++ (allow user_mail_t sudo_type (fd (use))) ++ (allow user_mail_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow user_mail_t sudo_type (process (sigchld))) ++ (allow sudo_type sendmail_exec_t (lnk_file (read getattr))) ++ (allow mta_user_agent sudo_type (fd (use))) ++ (allow mta_user_agent sudo_type (process (sigchld))) ++ (allow mta_user_agent sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow sudo_type user_mail_t (process (signal))) ++ (optional confinedom_sudo_optional_7 ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require exim_t) ++ (typeattributeset cil_gen_require exim_exec_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole exim_t) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type exim_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type exim_t (process (transition))) ++ (typetransition sudo_type exim_exec_t process exim_t) ++ (allow exim_t sudo_type (fd (use))) ++ (allow exim_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow exim_t sudo_type (process (sigchld))) ++ ) ++ (optional confinedom_sudo_optional_8 ++ (typeattributeset cil_gen_require mailman_mail_t) ++ (typeattributeset cil_gen_require mailman_mail_exec_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole mailman_mail_t) ++ (allow mta_user_agent mailman_mail_exec_t (file (ioctl read getattr map execute open))) ++ (allow mta_user_agent mailman_mail_t (process (transition))) ++ (typetransition mta_user_agent mailman_mail_exec_t process mailman_mail_t) ++ (allow mailman_mail_t mta_user_agent (fd (use))) ++ (allow mailman_mail_t mta_user_agent (fifo_file (ioctl read write getattr lock append))) ++ (allow mailman_mail_t mta_user_agent (process (sigchld))) ++ ) ++ ) ++ (optional confinedom_sudo_optional_9 ++ (roleattributeset cil_gen_require rpm_script_roles) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require rpm_t) ++ (typeattributeset cil_gen_require rpm_script_t) ++ (typeattributeset cil_gen_require rpm_exec_t) ++ (typeattributeset cil_gen_require rpm_transition_domain) ++ (typeattributeset cil_gen_require debuginfo_exec_t) ++ (typeattributeset cil_gen_require can_system_change) ++ (roleattributeset cil_gen_require rpm_script_roles) ++ (roleattributeset rpm_script_roles (urole )) ++ (typeattributeset cil_gen_require rpm_transition_domain) ++ (typeattributeset rpm_transition_domain (sudo_type )) ++ (typeattributeset cil_gen_require can_system_change) ++ (typeattributeset can_system_change (sudo_type )) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type rpm_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type rpm_t (process (transition))) ++ (typetransition sudo_type rpm_exec_t process rpm_t) ++ (allow rpm_t sudo_type (fd (use))) ++ (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow rpm_t sudo_type (process (sigchld))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type debuginfo_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type rpm_t (process (transition))) ++ (typetransition sudo_type debuginfo_exec_t process rpm_t) ++ (allow rpm_t sudo_type (fd (use))) ++ (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow rpm_t sudo_type (process (sigchld))) ++ (allow sudo_type debuginfo_exec_t (dir (getattr open search))) ++ (allow sudo_type debuginfo_exec_t (lnk_file (read getattr))) ++ (allow sudo_type rpm_script_t (process (transition))) ++ (allow sudo_type rpm_script_t (fd (use))) ++ (allow rpm_script_t sudo_type (fd (use))) ++ (allow rpm_script_t sudo_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow rpm_script_t sudo_type (process (sigchld))) ++ ) ++ (optional confinedom_sudo_optional_10 ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require krb5_host_rcache_t) ++ (typeattributeset cil_gen_require can_change_object_identity) ++ (typeattributeset cil_gen_require default_context_t) ++ (typeattributeset cil_gen_require file_context_t) ++ (typeattributeset cil_gen_require krb5_conf_t) ++ (typeattributeset cil_gen_require krb5_home_t) ++ (typeattributeset cil_gen_require can_change_object_identity) ++ (typeattributeset can_change_object_identity (sudo_type )) ++ (allow sudo_type etc_t (dir (getattr open search))) ++ (allow sudo_type krb5_conf_t (file (ioctl read getattr lock open))) ++ (allow sudo_type krb5_home_t (file (ioctl read getattr lock open))) ++ (booleanif (kerberos_enabled) ++ (true ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type tmp_t (lnk_file (read getattr))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type tmpfs_t (dir (getattr open search))) ++ (allow sudo_type krb5_host_rcache_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow sudo_type krb5_host_rcache_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type tmp_t (lnk_file (read getattr))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type tmpfs_t (dir (getattr open search))) ++ (allow sudo_type file_context_t (file (map))) ++ (allow sudo_type file_context_t (lnk_file (read getattr))) ++ (allow sudo_type file_context_t (dir (getattr open search))) ++ (allow sudo_type file_context_t (file (ioctl read getattr lock open))) ++ (allow sudo_type file_context_t (dir (getattr open search))) ++ (allow sudo_type file_context_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type file_context_t (dir (getattr open search))) ++ (allow sudo_type selinux_config_t (dir (getattr open search))) ++ (allow sudo_type default_context_t (dir (getattr open search))) ++ (allow sudo_type etc_t (dir (getattr open search))) ++ (allow sudo_type security_t (security (check_context))) ++ (allow sudo_type security_t (file (ioctl read write getattr lock append map open))) ++ (allow sudo_type security_t (dir (ioctl read getattr lock open search))) ++ (allow sudo_type security_t (lnk_file (read getattr))) ++ (allow sudo_type sysfs_t (dir (getattr open search))) ++ (allow sudo_type sysfs_t (dir (getattr open search))) ++ (allow sudo_type sysfs_t (filesystem (getattr))) ++ (allow sudo_type self (process (setfscreate))) ++ ) ++ ) ++ ) ++ (optional confinedom_sudo_optional_11 ++ (typeattributeset cil_gen_require systemd_systemctl_exec_t) ++ (allow sudo_type systemd_systemctl_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type utype (process (transition))) ++ (typetransition sudo_type systemd_systemctl_exec_t process utype) ++ (allow utype systemd_systemctl_exec_t (file (entrypoint))) ++ ) ++ (optional confinedom_sudo_optional_12 ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (allow sudo_type user_tmp_t (sock_file (write getattr append open))) ++ (allow sudo_type tmpfs_t (dir (getattr open search))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (allow sudo_type tmp_t (lnk_file (read getattr))) ++ (allow sudo_type tmp_t (dir (getattr open search))) ++ (optional confinedom_sudo_optional_13 ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require passwd_t) ++ (typeattributeset cil_gen_require passwd_exec_t) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (lnk_file (read getattr))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type bin_t (dir (getattr open search))) ++ (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow sudo_type passwd_t (process (transition))) ++ (typetransition sudo_type passwd_exec_t process passwd_t) ++ (allow passwd_t sudo_type (fd (use))) ++ (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) ++ (allow passwd_t sudo_type (process (sigchld))) ++ ) ++ ) ++ ) ++) ++ ++(macro confinedom_user_login_macro ((type utype) (role urole) (type gkeyringd_type) (type dbusd_type) (boolean exec_content_bool)) ++ (optional confinedom_user_login_optional_2 ++ (roletype object_r utype) ++ (typeattributeset cil_gen_require userdomain) ++ (typeattributeset cil_gen_require login_confinedom) ++ (typeattributeset cil_gen_require user_devpts_t) ++ (typeattributeset cil_gen_require user_tty_device_t) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require process_user_target) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require userdom_filetrans_type) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require user_tmp_type) ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require user_home_t) ++ (typeattributeset cil_gen_require user_home_type) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require user_home_content_type) ++ (typeattributeset cil_gen_require polymember) ++ (typeattributeset cil_gen_require nfs_t) ++ (typeattributeset cil_gen_require cifs_t) ++ (typeattributeset cil_gen_require bsdpty_device_t) ++ (typeattributeset cil_gen_require devpts_t) ++ (typeattributeset cil_gen_require ptmx_t) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require ttynode) ++ (typeattributeset cil_gen_require ptynode) ++ (typeattributeset cil_gen_require console_device_t) ++ (typeattributeset cil_gen_require tty_device_t) ++ (typeattributeset cil_gen_require server_ptynode) ++ (typeattributeset cil_gen_require device_node) ++ (typeattributeset cil_gen_require virtio_device_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require base_ro_file_type) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require chkpwd_t) ++ (typeattributeset cil_gen_require chkpwd_exec_t) ++ (typeattributeset cil_gen_require shadow_t) ++ (typeattributeset cil_gen_require updpwd_t) ++ (typeattributeset cil_gen_require updpwd_exec_t) ++ (typeattributeset cil_gen_require passwd_file_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require boot_t) ++ (typeattributeset cil_gen_require cgroup_t) ++ (typeattributeset cil_gen_require filesystem_type) ++ (typeattributeset cil_gen_require fs_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require init_exec_t) ++ (typeattributeset cil_gen_require systemd_systemctl_exec_t) ++ (typeattributeset cil_gen_require efivarfs_t) ++ (typeattributeset cil_gen_require systemd_unit_file_type) ++ (typeattributeset cil_gen_require init_var_run_t) ++ (typeattributeset cil_gen_require systemd_logind_var_run_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) ++ (typeattributeset cil_gen_require systemd_passwd_var_run_t) ++ (typeattributeset cil_gen_require kernel_t) ++ (typeattributeset cil_gen_require sysctl_type) ++ (typeattributeset cil_gen_require proc_t) ++ (typeattributeset cil_gen_require proc_net_t) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require locale_t) ++ (typeattributeset cil_gen_require mount_var_run_t) ++ (typeattributeset cil_gen_require sound_device_t) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require selinux_config_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require default_context_t) ++ (typeattributeset cil_gen_require file_context_t) ++ (typeattributeset cil_gen_require fixed_disk_device_t) ++ (typeattributeset cil_gen_require systemd_hostnamed_t) ++ (typeattributeset cil_gen_require systemd_tmpfiles_exec_t) ++ (typeattributeset cil_gen_require udev_var_run_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole utype) ++ (roletype urole user_tmp_t) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (utype )) ++ (typeattributeset cil_gen_require login_confinedom) ++ (typeattributeset login_confinedom (utype )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (utype )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (utype )) ++ (typeattributeset cil_gen_require device_node) ++ (typeattributeset device_node (user_devpts_t )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (utype shell_exec_t )) ++ (typeattributeset cil_gen_require ptynode) ++ (typeattributeset ptynode (user_devpts_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (utype shell_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (shell_exec_t )) ++ (typeattributeset cil_gen_require user_home_content_type) ++ (typeattributeset user_home_content_type (utype )) ++ (typeattributeset cil_gen_require polymember) ++ (typeattributeset polymember (utype )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (utype )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (utype )) ++ (typeattributeset cil_gen_require userdom_filetrans_type) ++ (typeattributeset userdom_filetrans_type (utype )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (utype )) ++ (typeattributeset cil_gen_require user_home_type) ++ (typeattributeset user_home_type (utype )) ++ (typeattributeset cil_gen_require userdomain) ++ (typeattributeset userdomain (utype )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (shell_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (utype shell_exec_t )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (utype )) ++ (typeattributeset cil_gen_require process_user_target) ++ (typeattributeset process_user_target (utype )) ++ (allow utype shell_exec_t (file (entrypoint))) ++ (allow utype shell_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (typemember utype tmp_t dir user_tmp_t) ++ (allow utype user_tmp_type (dir (mounton))) ++ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition utype tmp_t fifo_file user_tmp_t) ++ (typetransition utype tmp_t sock_file user_tmp_t) ++ (typetransition utype tmp_t lnk_file user_tmp_t) ++ (typetransition utype tmp_t dir user_tmp_t) ++ (typetransition utype tmp_t file user_tmp_t) ++ (allow user_tmp_t tmpfs_t (filesystem (associate))) ++ (allow utype tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition utype tmpfs_t fifo_file user_tmp_t) ++ (typetransition utype tmpfs_t sock_file user_tmp_t) ++ (typetransition utype tmpfs_t lnk_file user_tmp_t) ++ (typetransition utype tmpfs_t dir user_tmp_t) ++ (typetransition utype tmpfs_t file user_tmp_t) ++ (allow utype user_tmp_type (dir (getattr open search))) ++ (allow utype user_tmp_type (dir (getattr relabelfrom relabelto))) ++ (allow utype user_tmp_type (dir (getattr open search))) ++ (allow utype user_tmp_type (file (getattr relabelfrom relabelto))) ++ (allow utype user_tmp_type (dir (getattr open search))) ++ (allow utype user_tmp_type (lnk_file (getattr relabelfrom relabelto))) ++ (allow utype user_tmp_type (dir (getattr open search))) ++ (allow utype user_tmp_type (sock_file (getattr relabelfrom relabelto))) ++ (allow utype user_tmp_type (dir (getattr open search))) ++ (allow utype user_tmp_type (fifo_file (getattr relabelfrom relabelto))) ++ (allow utype user_tmp_type (file (map))) ++ (allow utype home_root_t (dir (ioctl read getattr lock open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition utype user_home_dir_t fifo_file user_home_t) ++ (typetransition utype user_home_dir_t sock_file user_home_t) ++ (typetransition utype user_home_dir_t lnk_file user_home_t) ++ (typetransition utype user_home_dir_t dir user_home_t) ++ (typetransition utype user_home_dir_t file user_home_t) ++ (allow login_confinedom self (capability (mknod))) ++ (allow login_confinedom user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow login_confinedom user_tmp_t (chr_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow login_confinedom tmpfs_t (dir (getattr open search))) ++ (allow login_confinedom tmp_t (dir (getattr open search))) ++ (allow login_confinedom tmp_t (lnk_file (read getattr))) ++ (allow login_confinedom tmp_t (dir (getattr open search))) ++ (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype user_tmp_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype tmp_t (lnk_file (read getattr))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype user_home_t (filesystem (associate))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype devpts_t (dir (ioctl read getattr lock open search))) ++ (allow utype devpts_t (filesystem (getattr))) ++ (dontaudit utype bsdpty_device_t (chr_file (read write getattr))) ++ (typetransition utype devpts_t chr_file user_devpts_t) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype devpts_t (dir (ioctl read getattr lock open search))) ++ (allow utype devpts_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype ttynode (chr_file (ioctl read write getattr lock append open))) ++ (allow utype ptynode (chr_file (ioctl read write getattr lock append open))) ++ (allow utype console_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype tty_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow user_devpts_t devpts_t (filesystem (associate))) ++ (allow utype user_devpts_t (chr_file (setattr))) ++ (typechange utype server_ptynode chr_file user_devpts_t) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype virtio_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype utype (capability (chown dac_read_search setgid setuid audit_write))) ++ (allow utype utype (dbus (acquire_svc))) ++ (allow utype utype (process (setsched setcap setfscreate setsockcreate))) ++ (allow utype utype (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write nlmsg_relay))) ++ (allow utype utype (netlink_kobject_uevent_socket (create getattr bind getopt setopt))) ++ (allow utype utype (unix_dgram_socket (ioctl create bind connect getopt setopt sendto))) ++ (allow utype utype (unix_stream_socket (connectto))) ++ (allow utype utype (context (contains))) ++ (dontaudit utype exec_type (file (execute execute_no_trans))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (ioctl read getattr lock open search))) ++ (allow utype bin_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (ioctl read getattr lock open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype shell_exec_t (file (map))) ++ (allow utype application_exec_type (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype chkpwd_t (process (transition))) ++ (typetransition utype chkpwd_exec_t process chkpwd_t) ++ (allow chkpwd_t utype (fd (use))) ++ (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow chkpwd_t utype (process (sigchld))) ++ (dontaudit utype shadow_t (file (read getattr))) ++ (allow utype updpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype updpwd_t (process (transition))) ++ (typetransition utype updpwd_exec_t process updpwd_t) ++ (allow updpwd_t utype (fd (use))) ++ (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow updpwd_t utype (process (sigchld))) ++ (dontaudit utype shadow_t (file (ioctl read getattr lock open))) ++ (allow utype passwd_file_t (file (ioctl read getattr lock open))) ++ (allow utype init_t (dbus (send_msg))) ++ (allow init_t utype (dbus (send_msg))) ++ (dontaudit utype boot_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (dontaudit utype boot_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype cgroup_t (filesystem (getattr))) ++ (allow utype filesystem_type (dir (getattr))) ++ (allow utype tmpfs_t (filesystem (getattr))) ++ (allow utype fs_t (filesystem (getattr))) ++ (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cgroup_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cgroup_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype cgroup_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype tmpfs_t (file (ioctl read getattr lock open))) ++ (allow utype filesystem_type (dir (getattr open search))) ++ (allow utype init_exec_t (file (entrypoint))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype init_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype init_t (system (status))) ++ (allow utype init_t (service (status))) ++ (allow utype kernel_t (unix_dgram_socket (sendto))) ++ (allow utype sysctl_type (dir (getattr open search))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_net_t (dir (getattr open search))) ++ (allow utype sysctl_type (file (ioctl read getattr lock open))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_net_t (dir (getattr open search))) ++ (allow utype sysctl_type (dir (ioctl read getattr lock open search))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_net_t (dir (getattr open search))) ++ (allow utype proc_net_t (file (ioctl read getattr lock open))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_net_t (dir (getattr open search))) ++ (allow utype proc_net_t (lnk_file (read getattr))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_net_t (dir (ioctl read getattr lock open search))) ++ (allow utype kernel_t (system (module_request))) ++ (allow utype kernel_t (unix_stream_socket (getattr connectto))) ++ (allow utype locale_t (dir (getattr open search))) ++ (allow utype locale_t (lnk_file (getattr watch))) ++ (allow utype mount_var_run_t (dir (getattr open search))) ++ (allow utype mount_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype mount_var_run_t (dir (getattr open search))) ++ (allow utype mount_var_run_t (dir (ioctl read getattr lock open search watch watch_reads))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype mount_var_run_t (dir (getattr open search))) ++ (allow utype mount_var_run_t (dir (getattr watch))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype sound_device_t (chr_file (getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (file (ioctl read getattr lock open))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (lnk_file (read getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (ioctl read getattr lock open search))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype proc_t (dir (getattr open search))) ++ (allow utype domain (dir (ioctl read getattr lock open search))) ++ (allow utype domain (dir (getattr open search))) ++ (allow utype domain (file (ioctl read getattr lock open))) ++ (allow utype domain (dir (getattr open search))) ++ (allow utype domain (lnk_file (read getattr))) ++ (allow utype sysfs_t (filesystem (getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype security_t (file (ioctl read write getattr lock append open))) ++ (allow utype security_t (security (compute_av))) ++ (allow utype sysfs_t (filesystem (getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype security_t (file (ioctl read write getattr lock append open))) ++ (allow utype security_t (security (compute_create))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype sysfs_t (filesystem (getattr))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype security_t (filesystem (getattr))) ++ (allow utype security_t (dir (ioctl read getattr lock open search))) ++ (allow utype security_t (file (ioctl read getattr map open))) ++ (allow utype security_t (lnk_file (read getattr))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype selinux_config_t (dir (ioctl read getattr lock open search))) ++ (allow utype selinux_config_t (dir (getattr open search))) ++ (allow utype selinux_config_t (file (ioctl read getattr lock open))) ++ (allow utype selinux_config_t (dir (getattr open search))) ++ (allow utype selinux_config_t (lnk_file (read getattr))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype selinux_config_t (dir (getattr open search))) ++ (allow utype default_context_t (dir (getattr open search))) ++ (allow utype file_context_t (dir (getattr open search))) ++ (allow utype file_context_t (dir (ioctl read getattr lock open search))) ++ (allow utype file_context_t (dir (getattr open search))) ++ (allow utype file_context_t (file (ioctl read getattr lock open))) ++ (allow utype file_context_t (dir (getattr open search))) ++ (allow utype file_context_t (lnk_file (read getattr))) ++ (allow utype file_context_t (file (map))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype fixed_disk_device_t (blk_file (getattr))) ++ (allow utype systemd_hostnamed_t (dbus (send_msg))) ++ (allow systemd_hostnamed_t utype (dbus (send_msg))) ++ (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search))) ++ (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open))) ++ (allow systemd_hostnamed_t utype (lnk_file (read getattr))) ++ (allow systemd_hostnamed_t utype (process (getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (ioctl read getattr lock open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (file (ioctl read getattr lock open))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (lnk_file (read getattr))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (file (ioctl read getattr lock open))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) ++ (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype init_t (dir (getattr open search))) ++ (allow utype init_t (file (ioctl read getattr lock open))) ++ (allow utype init_t (lnk_file (read getattr))) ++ (allow utype init_t (unix_stream_socket (sendto))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (sock_file (write getattr append open))) ++ (allow utype init_t (unix_stream_socket (connectto))) ++ (allow utype init_t (unix_stream_socket (getattr))) ++ (dontaudit utype self (process (setrlimit))) ++ (dontaudit utype self (capability (sys_resource))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow systemd_passwd_agent_t utype (process (signull))) ++ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) ++ (dontaudit utype self (capability (net_admin sys_ptrace))) ++ (allow utype systemd_tmpfiles_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype systemd_passwd_var_run_t (dir (getattr watch))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype systemd_unit_file_type (file (ioctl read getattr lock open))) ++ (allow utype systemd_unit_file_type (lnk_file (read getattr))) ++ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype udev_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype udev_var_run_t (dir (getattr open search))) ++ (allow utype udev_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype udev_var_run_t (dir (getattr open search))) ++ (allow utype udev_var_run_t (lnk_file (read getattr))) ++ (roleallow system_r urole) ++ (booleanif (deny_bluetooth) ++ (false ++ (allow utype self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) ++ ) ++ ) ++ (booleanif (and (exec_content_bool) (use_samba_home_dirs)) ++ (true ++ (allow utype cifs_t (file (ioctl read getattr map execute open execute_no_trans))) ++ (allow utype cifs_t (dir (getattr open search))) ++ (allow utype cifs_t (dir (ioctl read getattr lock open search))) ++ ) ++ ) ++ (booleanif (and (exec_content_bool) (use_nfs_home_dirs)) ++ (true ++ (allow utype nfs_t (file (ioctl read getattr map execute open execute_no_trans))) ++ (allow utype nfs_t (dir (getattr open search))) ++ (allow utype nfs_t (dir (ioctl read getattr lock open search))) ++ ) ++ ) ++ (booleanif (exec_content_bool) ++ (true ++ (allow utype user_home_type (file (ioctl read getattr map execute open execute_no_trans))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_type (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype tmp_t (lnk_file (read getattr))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype user_tmp_t (file (ioctl read getattr map execute open execute_no_trans))) ++ (allow utype user_tmp_t (dir (getattr open search))) ++ (allow utype user_tmp_t (file (entrypoint))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_3 ++ (typeattributeset cil_gen_require sssd_public_t) ++ (typeattributeset cil_gen_require sssd_var_lib_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require sssd_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (allow utype sssd_var_lib_t (dir (getattr open search))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype sssd_public_t (dir (getattr open search))) ++ (allow utype sssd_public_t (dir (ioctl read getattr lock open search))) ++ (allow utype sssd_public_t (dir (getattr open search))) ++ (allow utype sssd_public_t (file (ioctl read getattr lock open))) ++ (allow utype sssd_public_t (file (map))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype sssd_var_lib_t (dir (getattr open search))) ++ (allow utype sssd_var_lib_t (sock_file (write getattr append open))) ++ (allow utype sssd_t (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_user_login_optional_4 ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require cgroup_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require systemd_systemctl_exec_t) ++ (typeattributeset cil_gen_require efivarfs_t) ++ (typeattributeset cil_gen_require systemd_unit_file_type) ++ (typeattributeset cil_gen_require init_var_run_t) ++ (typeattributeset cil_gen_require systemd_logind_var_run_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) ++ (typeattributeset cil_gen_require systemd_passwd_var_run_t) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (ioctl read getattr lock open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (file (ioctl read getattr lock open))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (lnk_file (read getattr))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (file (ioctl read getattr lock open))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) ++ (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype init_t (dir (getattr open search))) ++ (allow utype init_t (file (ioctl read getattr lock open))) ++ (allow utype init_t (lnk_file (read getattr))) ++ (allow utype init_t (unix_stream_socket (sendto))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (sock_file (write getattr append open))) ++ (allow utype init_t (unix_stream_socket (connectto))) ++ (allow utype init_t (unix_stream_socket (getattr))) ++ (dontaudit utype self (process (setrlimit))) ++ (dontaudit utype self (capability (sys_resource))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow systemd_passwd_agent_t utype (process (signull))) ++ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) ++ (dontaudit utype self (capability (net_admin sys_ptrace))) ++ (optional confinedom_user_login_optional_5 ++ (typeattributeset cil_gen_require bluetooth_t) ++ (allow utype bluetooth_t (dbus (send_msg))) ++ (allow bluetooth_t utype (dbus (send_msg))) ++ ) ++ (optional confinedom_user_login_optional_6 ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require base_ro_file_type) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require chkpwd_t) ++ (typeattributeset cil_gen_require chkpwd_exec_t) ++ (typeattributeset cil_gen_require shadow_t) ++ (typeattributeset cil_gen_require updpwd_t) ++ (typeattributeset cil_gen_require updpwd_exec_t) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require cronjob_t) ++ (typeattributeset cil_gen_require crontab_t) ++ (typeattributeset cil_gen_require crontab_exec_t) ++ (typeattributeset cil_gen_require user_cron_spool_t) ++ (typeattributeset cil_gen_require crond_t) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require auth_cache_t) ++ (typeattributeset cil_gen_require random_device_t) ++ (typeattributeset cil_gen_require urandom_device_t) ++ (typeattributeset cil_gen_require faillog_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (typeattributeset cil_gen_require cert_t) ++ (typeattributeset cil_gen_require userdom_home_reader_type) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole cronjob_t) ++ (roletype urole crontab_t) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (utype )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (utype )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (utype )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (crontab_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (crontab_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (crontab_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (utype )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (utype )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (utype )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (crontab_exec_t )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (utype )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (crontab_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (crontab_exec_t )) ++ (typeattributeset cil_gen_require userdom_home_reader_type) ++ (typeattributeset userdom_home_reader_type (utype )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (utype )) ++ (allow utype crontab_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype crontab_t (process (transition))) ++ (typetransition utype crontab_exec_t process crontab_t) ++ (allow crontab_t utype (fd (use))) ++ (allow crontab_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow crontab_t utype (process (sigchld))) ++ (dontaudit crond_t utype (process (noatsecure siginh rlimitinh))) ++ (allow utype crond_t (process (sigchld))) ++ (allow utype user_cron_spool_t (file (ioctl read write getattr))) ++ (allow utype crontab_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype crontab_t (dir (ioctl read getattr lock open search))) ++ (allow utype crontab_t (file (ioctl read getattr lock open))) ++ (allow utype crontab_t (lnk_file (read getattr))) ++ (allow utype crontab_t (process (getattr))) ++ (allow utype crontab_exec_t (file (entrypoint))) ++ (allow utype crontab_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow utype auth_cache_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype chkpwd_t (process (transition))) ++ (typetransition utype chkpwd_exec_t process chkpwd_t) ++ (allow chkpwd_t utype (fd (use))) ++ (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow chkpwd_t utype (process (sigchld))) ++ (allow utype chkpwd_exec_t (file (map))) ++ (dontaudit utype shadow_t (file (ioctl read getattr lock open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype random_device_t (chr_file (ioctl read getattr lock open))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype urandom_device_t (chr_file (ioctl read getattr lock open))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_log_t (dir (getattr open search))) ++ (allow utype faillog_t (dir (getattr open search))) ++ (allow utype faillog_t (file (ioctl read write getattr lock append open))) ++ (allow utype self (capability (audit_write))) ++ (allow utype self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) ++ (allow utype cert_t (dir (ioctl read getattr lock open search))) ++ (allow utype cert_t (dir (getattr open search))) ++ (allow utype cert_t (file (ioctl read getattr lock open))) ++ (allow utype cert_t (dir (getattr open search))) ++ (allow utype cert_t (lnk_file (read getattr))) ++ (allow utype updpwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype updpwd_t (process (transition))) ++ (typetransition utype updpwd_exec_t process updpwd_t) ++ (allow updpwd_t utype (fd (use))) ++ (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow updpwd_t utype (process (sigchld))) ++ (dontaudit utype shadow_t (file (ioctl read getattr lock open))) ++ (allow crontab_t bin_t (dir (getattr open search))) ++ (allow crontab_t bin_t (lnk_file (read getattr))) ++ (allow crontab_t bin_t (dir (getattr open search))) ++ (allow crontab_t bin_t (dir (ioctl read getattr lock open search))) ++ (allow crontab_t bin_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow crontab_t base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow crontab_t bin_t (dir (getattr open search))) ++ (allow crontab_t bin_t (dir (ioctl read getattr lock open search))) ++ (allow crontab_t bin_t (dir (getattr open search))) ++ (allow crontab_t bin_t (lnk_file (read getattr))) ++ (allow crontab_t shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow crontab_t shell_exec_t (file (map))) ++ (booleanif (cron_userdomain_transition) ++ (true ++ (allow utype cronjob_t (process (getattr))) ++ (allow utype cronjob_t (lnk_file (read getattr))) ++ (allow utype cronjob_t (file (ioctl read getattr lock open))) ++ (allow utype cronjob_t (dir (ioctl read getattr lock open search))) ++ (allow utype cronjob_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype crond_t (fifo_file (ioctl read write getattr lock append open))) ++ (allow utype user_cron_spool_t (file (entrypoint))) ++ (allow crond_t utype (key (view read write search link setattr create))) ++ (allow crond_t utype (fd (use))) ++ (allow crond_t utype (process (transition))) ++ ) ++ (false ++ (dontaudit utype cronjob_t (process (sigchld sigkill sigstop signull signal))) ++ (dontaudit utype crond_t (fifo_file (ioctl read write getattr lock append open))) ++ (dontaudit utype user_cron_spool_t (file (entrypoint))) ++ (dontaudit crond_t utype (key (view read write search link setattr create))) ++ (dontaudit crond_t utype (fd (use))) ++ (dontaudit crond_t utype (process (transition))) ++ ) ++ ) ++ (booleanif (deny_ptrace) ++ (false ++ (allow utype crontab_t (process (ptrace))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_7 ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require krb5_keytab_t) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype krb5_keytab_t (dir (ioctl read getattr lock open search))) ++ (allow utype krb5_keytab_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_user_login_optional_8 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require pcscd_var_run_t) ++ (typeattributeset cil_gen_require pcscd_t) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype pcscd_var_run_t (dir (getattr open search))) ++ (allow utype pcscd_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype pcscd_var_run_t (dir (getattr open search))) ++ (allow utype pcscd_var_run_t (sock_file (write getattr append open))) ++ (allow utype pcscd_t (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_user_login_optional_9 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require etc_t) ++ (typeattributeset cil_gen_require samba_var_t) ++ (typeattributeset cil_gen_require winbind_t) ++ (typeattributeset cil_gen_require winbind_var_run_t) ++ (typeattributeset cil_gen_require smbd_var_run_t) ++ (typeattributeset cil_gen_require samba_etc_t) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype smbd_var_run_t (dir (getattr open search))) ++ (allow utype samba_var_t (dir (getattr open search))) ++ (allow utype winbind_var_run_t (dir (getattr open search))) ++ (allow utype winbind_var_run_t (sock_file (write getattr append open))) ++ (allow utype winbind_t (unix_stream_socket (connectto))) ++ (allow utype etc_t (dir (getattr open search))) ++ (allow utype samba_etc_t (dir (getattr open search))) ++ (allow utype samba_etc_t (dir (ioctl read getattr lock open search))) ++ (allow utype samba_etc_t (dir (getattr open search))) ++ (allow utype samba_etc_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confinedom_user_login_optional_10 ++ (typeattributeset cil_gen_require system_dbusd_t) ++ (allow cronjob_t utype (dbus (send_msg))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_11 ++ ;(type dbusd_type) ++ (roletype object_r dbusd_type) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require security_t) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require system_dbusd_t) ++ (typeattributeset cil_gen_require session_dbusd_tmp_t) ++ (typeattributeset cil_gen_require dbusd_unconfined) ++ (typeattributeset cil_gen_require session_bus_type) ++ (typeattributeset cil_gen_require dbusd_exec_t) ++ (typeattributeset cil_gen_require dbusd_etc_t) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset cil_gen_require usr_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole dbusd_type) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (dbusd_type )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (dbusd_type )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (dbusd_type )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (dbusd_type )) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset userdom_home_manager_type (dbusd_type )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (dbusd_type )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (dbusd_type )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (dbusd_type )) ++ (typeattributeset cil_gen_require session_bus_type) ++ (typeattributeset session_bus_type (dbusd_type )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (dbusd_exec_t )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (dbusd_type )) ++ (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search))) ++ (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open))) ++ (allow utype system_dbusd_t (dbus (send_msg))) ++ (allow dbusd_type dbusd_exec_t (file (entrypoint))) ++ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow dbusd_type security_t (lnk_file (read getattr))) ++ (allow dbusd_type sysfs_t (filesystem (getattr))) ++ (allow dbusd_type sysfs_t (dir (getattr open search))) ++ (allow dbusd_type sysfs_t (dir (getattr open search))) ++ (allow dbusd_type security_t (filesystem (getattr))) ++ (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) ++ (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt))) ++ (allow dbusd_type utype (unix_dgram_socket (sendto))) ++ (allow utype dbusd_type (dbus (acquire_svc send_msg))) ++ (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg))) ++ (allow utype system_dbusd_t (dbus (acquire_svc send_msg))) ++ (allow utype dbusd_type (process (noatsecure siginh rlimitinh))) ++ (allow dbusd_type utype (dbus (send_msg))) ++ (allow utype dbusd_type (dbus (send_msg))) ++ (allow dbusd_type utype (system (start reload))) ++ (allow dbusd_type session_dbusd_tmp_t (service (start stop))) ++ (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype dbusd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype dbusd_type (process (transition))) ++ (typetransition utype dbusd_exec_t process dbusd_type) ++ (allow dbusd_type utype (fd (use))) ++ (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append))) ++ (allow dbusd_type utype (process (sigchld))) ++ (allow utype dbusd_type (dir (ioctl read getattr lock open search))) ++ (allow utype dbusd_type (file (ioctl read getattr lock open))) ++ (allow utype dbusd_type (lnk_file (read getattr))) ++ (allow utype dbusd_type (process (getattr))) ++ (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal))) ++ (allow dbusd_type bin_t (dir (getattr open search))) ++ (allow dbusd_type bin_t (lnk_file (read getattr))) ++ (allow dbusd_type bin_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (allow dbusd_type usr_t (dir (getattr open search))) ++ (allow dbusd_type usr_t (lnk_file (read getattr))) ++ (allow dbusd_type usr_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (typetransition dbusd_type bin_t process utype) ++ (typetransition dbusd_type usr_t process utype) ++ (allow dbusd_type bin_t (dir (getattr open search))) ++ (allow dbusd_type bin_t (dir (ioctl read getattr lock open search))) ++ (allow dbusd_type bin_t (dir (getattr open search))) ++ (allow dbusd_type bin_t (lnk_file (read getattr))) ++ (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (typetransition dbusd_type shell_exec_t process utype) ++ (allow dbusd_type utype (process (sigkill))) ++ (allow utype dbusd_type (fd (use))) ++ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow dbusd_type file_type (service (start stop status reload enable disable))) ++ (dontaudit dbusd_type self (capability (net_admin))) ++ (allow utype session_dbusd_tmp_t (dir (getattr open search))) ++ (allow utype session_dbusd_tmp_t (sock_file (write getattr append open))) ++ (booleanif (deny_ptrace) ++ (false ++ (allow utype dbusd_type (process (ptrace))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_12 ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require mozilla_exec_t) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (mozilla_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (mozilla_exec_t )) ++ (allow utype mozilla_exec_t (file (entrypoint))) ++ (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type utype (process (transition))) ++ (typetransition dbusd_type mozilla_exec_t process utype) ++ (allow utype dbusd_type (fd (use))) ++ (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append))) ++ (allow utype dbusd_type (process (sigchld))) ++ ) ++ (optional confinedom_user_login_optional_13 ++ (typeattributeset cil_gen_require systemd_unit_file_t) ++ (allow dbusd_type systemd_unit_file_t (service (start))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_14 ++ ;(type gkeyringd_type) ++ (roletype object_r gkeyringd_type) ++ (roleattributeset cil_gen_require gconfd_roles) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require process_user_target) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require gnomedomain) ++ (typeattributeset cil_gen_require gkeyringd_domain) ++ (typeattributeset cil_gen_require gnome_home_type) ++ (typeattributeset cil_gen_require gkeyringd_exec_t) ++ (typeattributeset cil_gen_require gkeyringd_tmp_t) ++ (typeattributeset cil_gen_require gconfd_t) ++ (typeattributeset cil_gen_require gconfd_exec_t) ++ (typeattributeset cil_gen_require gconf_tmp_t) ++ (typeattributeset cil_gen_require cache_home_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype urole gkeyringd_type) ++ (roleattributeset cil_gen_require gconfd_roles) ++ (roleattributeset gconfd_roles (urole )) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (gkeyringd_type )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (gkeyringd_type )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (gkeyringd_type )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (gkeyringd_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (gkeyringd_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (gkeyringd_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (gkeyringd_type )) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset userdom_home_manager_type (gkeyringd_type )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (gkeyringd_type )) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (gkeyringd_type )) ++ (typeattributeset cil_gen_require gnomedomain) ++ (typeattributeset gnomedomain (gkeyringd_type )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (gkeyringd_exec_t )) ++ (typeattributeset cil_gen_require gkeyringd_domain) ++ (typeattributeset gkeyringd_domain (gkeyringd_type )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (gkeyringd_type )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (gkeyringd_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (gkeyringd_exec_t )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (gkeyringd_type )) ++ (typeattributeset cil_gen_require process_user_target) ++ (typeattributeset process_user_target (gkeyringd_type )) ++ (allow gkeyringd_type gkeyringd_exec_t (file (entrypoint))) ++ (allow gkeyringd_type gkeyringd_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow utype gconfd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype gconfd_t (process (transition))) ++ (typetransition utype gconfd_exec_t process gconfd_t) ++ (allow gconfd_t utype (fd (use))) ++ (allow gconfd_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow gconfd_t utype (process (sigchld))) ++ (allow utype gconfd_t (process (sigchld sigkill sigstop signull signal))) ++ (allow utype gconfd_t (unix_stream_socket (connectto))) ++ (allow utype gconfd_t (dir (ioctl read getattr lock open search))) ++ (allow utype gconfd_t (file (ioctl read getattr lock open))) ++ (allow utype gconfd_t (lnk_file (read getattr))) ++ (allow utype gconfd_t (process (getattr))) ++ (allow gkeyringd_type utype (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) ++ (allow gkeyringd_type self (process (setsched))) ++ (allow utype gkeyringd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype gkeyringd_type (process (transition))) ++ (typetransition utype gkeyringd_exec_t process gkeyringd_type) ++ (allow gkeyringd_type utype (fd (use))) ++ (allow gkeyringd_type utype (fifo_file (ioctl read write getattr lock append))) ++ (allow gkeyringd_type utype (process (sigchld))) ++ (allow utype gnome_home_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype gkeyringd_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype gconf_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow utype gnome_home_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype gkeyringd_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype gconf_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) ++ (allow utype gkeyringd_tmp_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) ++ (allow utype gkeyringd_type (dir (ioctl read getattr lock open search))) ++ (allow utype gkeyringd_type (file (ioctl read getattr lock open))) ++ (allow utype gkeyringd_type (lnk_file (read getattr))) ++ (allow utype gkeyringd_type (process (getattr))) ++ (allow utype gkeyringd_type (process (sigchld sigkill sigstop signull signal))) ++ (dontaudit utype gkeyringd_exec_t (file (entrypoint))) ++ (allow gkeyringd_type utype (process (sigkill))) ++ (allow utype gkeyringd_type (fd (use))) ++ (allow utype gkeyringd_type (fifo_file (ioctl read write getattr lock append open))) ++ (allow utype gkeyringd_type (dbus (acquire_svc))) ++ (allow utype gkeyringd_tmp_t (dir (getattr open search))) ++ (allow utype gkeyringd_tmp_t (sock_file (write getattr append open))) ++ (allow utype gkeyringd_type (unix_stream_socket (connectto))) ++ (allow gkeyringd_type bin_t (dir (getattr open search))) ++ (allow gkeyringd_type bin_t (lnk_file (read getattr))) ++ (allow gkeyringd_type bin_t (file (ioctl read getattr map execute open))) ++ (allow gkeyringd_type utype (process (transition))) ++ (allow gkeyringd_type usr_t (dir (getattr open search))) ++ (allow gkeyringd_type usr_t (lnk_file (read getattr))) ++ (allow gkeyringd_type usr_t (file (ioctl read getattr map execute open))) ++ (allow gkeyringd_type utype (process (transition))) ++ (typetransition gkeyringd_type bin_t process utype) ++ (typetransition gkeyringd_type usr_t process utype) ++ (allow gkeyringd_type bin_t (dir (getattr open search))) ++ (allow gkeyringd_type bin_t (dir (ioctl read getattr lock open search))) ++ (allow gkeyringd_type bin_t (dir (getattr open search))) ++ (allow gkeyringd_type bin_t (lnk_file (read getattr))) ++ (allow gkeyringd_type shell_exec_t (file (ioctl read getattr map execute open))) ++ (allow gkeyringd_type utype (process (transition))) ++ (typetransition gkeyringd_type shell_exec_t process utype) ++ (allow utype gconf_tmp_t (dir (getattr open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype tmp_t (lnk_file (read getattr))) ++ (allow utype tmp_t (dir (getattr open search))) ++ (allow utype user_tmp_t (dir (getattr open search))) ++ (allow utype gkeyringd_tmp_t (dir (getattr open search))) ++ (allow utype gkeyringd_tmp_t (sock_file (write getattr append open))) ++ (allow utype gkeyringd_domain (unix_stream_socket (connectto))) ++ (allow utype cache_home_t (dir (getattr open search))) ++ (allow utype cache_home_t (sock_file (write getattr append open))) ++ (allow utype gkeyringd_domain (unix_stream_socket (connectto))) ++ (allow gkeyringd_type utype (dir (ioctl read getattr lock open search))) ++ (allow gkeyringd_type utype (file (ioctl read getattr lock open))) ++ (allow gkeyringd_type utype (lnk_file (read getattr))) ++ (allow gkeyringd_type utype (process (getattr))) ++ (allow gkeyringd_type user_tmp_t (dir (ioctl read getattr lock open search))) ++ (allow gkeyringd_type user_tmp_t (sock_file (read write getattr append))) ++ (allow gkeyringd_type tmpfs_t (dir (getattr open search))) ++ (allow gkeyringd_type tmp_t (dir (getattr open search))) ++ (allow gkeyringd_type tmp_t (lnk_file (read getattr))) ++ (allow gkeyringd_type tmp_t (dir (getattr open search))) ++ (allow gkeyringd_type utype (dbus (acquire_svc send_msg))) ++ (allow utype gkeyringd_type (dbus (send_msg))) ++ (optional confinedom_user_login_optional_15 ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require system_dbusd_t) ++ (typeattributeset cil_gen_require session_bus_type) ++ (typeattributeset cil_gen_require dbusd_type) ++ (typeattributeset cil_gen_require gnome_home_t) ++ (typeattributeset cil_gen_require data_home_t) ++ (typeattributeset cil_gen_require gconf_home_t) ++ (allow dbusd_type gkeyringd_exec_t (file (ioctl read getattr map execute open))) ++ (allow dbusd_type gkeyringd_type (process (transition))) ++ (typetransition dbusd_type gkeyringd_exec_t process gkeyringd_type) ++ (allow gkeyringd_type dbusd_type (fd (use))) ++ (allow gkeyringd_type dbusd_type (fifo_file (ioctl read write getattr lock append))) ++ (allow gkeyringd_type dbusd_type (process (sigchld))) ++ (allow gkeyringd_type session_bus_type (dbus (send_msg))) ++ (allow gkeyringd_type self (dbus (send_msg))) ++ (allow gkeyringd_type session_bus_type (unix_stream_socket (connectto))) ++ (allow session_bus_type gkeyringd_type (process (sigkill))) ++ (allow gkeyringd_type session_bus_type (dbus (acquire_svc))) ++ (allow gkeyringd_type system_dbusd_t (unix_stream_socket (connectto))) ++ (allow gkeyringd_type system_dbusd_t (dbus (send_msg))) ++ (allow gkeyringd_type user_home_dir_t (dir (getattr open search))) ++ (allow gkeyringd_type user_home_dir_t (lnk_file (read getattr))) ++ (allow gkeyringd_type home_root_t (dir (getattr open search))) ++ (allow gkeyringd_type home_root_t (lnk_file (read getattr))) ++ (allow gkeyringd_type gnome_home_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow gkeyringd_type data_home_t (dir (getattr open search))) ++ (allow gkeyringd_type gconf_home_t (dir (getattr open search))) ++ (allow gkeyringd_type data_home_t (file (ioctl read getattr lock open))) ++ (allow gkeyringd_type data_home_t (dir (getattr open search))) ++ (allow gkeyringd_type gconf_home_t (dir (getattr open search))) ++ (allow gkeyringd_type data_home_t (lnk_file (read getattr))) ++ (allow gkeyringd_type data_home_t (dir (getattr open search))) ++ (allow gkeyringd_type gconf_home_t (dir (getattr open search))) ++ (allow gkeyringd_type data_home_t (dir (ioctl read getattr lock open search))) ++ (optional confinedom_user_login_optional_16 ++ (typeattributeset cil_gen_require proc_t) ++ (typeattributeset cil_gen_require telepathy_mission_control_t) ++ (typeattributeset cil_gen_require telepathy_gabble_t) ++ (allow gkeyringd_type proc_t (dir (getattr open search))) ++ (allow gkeyringd_type proc_t (dir (getattr open search))) ++ (allow gkeyringd_type telepathy_mission_control_t (dir (ioctl read getattr lock open search))) ++ (allow gkeyringd_type telepathy_mission_control_t (file (ioctl read getattr lock open))) ++ (allow gkeyringd_type telepathy_mission_control_t (lnk_file (read getattr))) ++ (allow gkeyringd_type telepathy_mission_control_t (process (getattr))) ++ (allow telepathy_gabble_t gkeyringd_tmp_t (dir (getattr open search))) ++ (allow telepathy_gabble_t gkeyringd_tmp_t (sock_file (write getattr append open))) ++ (allow telepathy_gabble_t gkeyringd_type (unix_stream_socket (connectto))) ++ ) ++ (optional confinedom_user_login_optional_17 ++ (typeattributeset cil_gen_require systemd_logind_t) ++ (allow gkeyringd_type systemd_logind_t (dbus (send_msg))) ++ (allow systemd_logind_t gkeyringd_type (dbus (send_msg))) ++ (allow systemd_logind_t gkeyringd_type (dir (ioctl read getattr lock open search))) ++ (allow systemd_logind_t gkeyringd_type (file (ioctl read getattr lock open))) ++ (allow systemd_logind_t gkeyringd_type (lnk_file (read getattr))) ++ (allow systemd_logind_t gkeyringd_type (process (getattr))) ++ (allow systemd_logind_t gkeyringd_type (process (signal))) ++ (allow gkeyringd_type systemd_logind_t (fd (use))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_18 ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require ssh_agent_exec_t) ++ (allow gkeyringd_type bin_t (dir (getattr open search))) ++ (allow gkeyringd_type bin_t (lnk_file (read getattr))) ++ (allow gkeyringd_type bin_t (dir (getattr open search))) ++ (allow gkeyringd_type bin_t (dir (getattr open search))) ++ (allow gkeyringd_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ ) ++ ) ++ (optional confinedom_user_login_optional_19 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require locate_var_lib_t) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype locate_var_lib_t (dir (getattr open search))) ++ (allow utype locate_var_lib_t (file (ioctl read getattr lock open))) ++ (allow utype locate_var_lib_t (dir (ioctl read getattr lock open search))) ++ ) ++ (optional confinedom_user_login_optional_20 ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require mail_spool_t) ++ (typeattributeset cil_gen_require var_spool_t) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_spool_t (dir (getattr open search))) ++ (allow utype mail_spool_t (dir (ioctl read getattr lock open search))) ++ (allow utype mail_spool_t (dir (getattr open search))) ++ (allow utype mail_spool_t (file (getattr))) ++ (allow utype mail_spool_t (dir (getattr open search))) ++ (allow utype mail_spool_t (lnk_file (read getattr))) ++ ) ++ ) ++ ) ++) ++ ++(macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type)) ++ (optional confined_ssh_connect_macro_optional ++ (typeattributeset cil_gen_require sshd_t) ++ (typeattributeset cil_gen_require ptmx_t) ++ (typeattributeset cil_gen_require device_t) ++ (typeattributeset cil_gen_require sshd_devpts_t) ++ (typeattributeset cil_gen_require ssh_server) ++ (typeattributeset cil_gen_require ssh_t) ++ (typeattributeset cil_gen_require ssh_exec_t) ++ (typeattributeset cil_gen_require ssh_tmpfs_t) ++ (typeattributeset cil_gen_require ssh_home_t) ++ (typeattributeset cil_gen_require ssh_agent_exec_t) ++ (typeattributeset cil_gen_require ssh_keysign_t) ++ (typeattributeset cil_gen_require ssh_agent_tmp_t) ++ (typeattributeset cil_gen_require cache_home_t) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset cil_gen_require privfd) ++ (typeattributeset cil_gen_require user_home_dir_t) ++ (typeattributeset cil_gen_require home_root_t) ++ (typeattributeset cil_gen_require user_tmp_type) ++ (typeattributeset cil_gen_require user_tmp_t) ++ (typeattributeset cil_gen_require tmp_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset cil_gen_require shell_exec_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require usr_t) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset cil_gen_require tty_device_t) ++ (typeattributeset cil_gen_require user_home_t) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset cil_gen_require ssh_keygen_exec_t) ++ (roleattributeset cil_gen_require urole) ++ (roletype object_r ssh_agent_type) ++ (roletype urole ssh_t) ++ (roletype urole ssh_agent_type) ++ (roletype urole user_tmp_t) ++ (typeattributeset cil_gen_require netlabel_peer_type) ++ (typeattributeset netlabel_peer_type (ssh_agent_type )) ++ (typeattributeset cil_gen_require corenet_unlabeled_type) ++ (typeattributeset corenet_unlabeled_type (ssh_agent_type )) ++ (typeattributeset cil_gen_require privfd) ++ (typeattributeset privfd (ssh_agent_type )) ++ (typeattributeset cil_gen_require syslog_client_type) ++ (typeattributeset syslog_client_type (ssh_agent_type )) ++ (typeattributeset cil_gen_require file_type) ++ (typeattributeset file_type (ssh_agent_exec_t )) ++ (typeattributeset cil_gen_require non_security_file_type) ++ (typeattributeset non_security_file_type (ssh_agent_exec_t )) ++ (typeattributeset cil_gen_require exec_type) ++ (typeattributeset exec_type (ssh_agent_exec_t )) ++ (typeattributeset cil_gen_require application_domain_type) ++ (typeattributeset application_domain_type (ssh_agent_type )) ++ (typeattributeset cil_gen_require userdom_home_manager_type) ++ (typeattributeset userdom_home_manager_type (ssh_agent_type )) ++ (typeattributeset cil_gen_require ubac_constrained_type) ++ (typeattributeset ubac_constrained_type (ssh_agent_type )) ++ (typeattributeset cil_gen_require ssh_agent_type) ++ (typeattributeset cil_gen_require kernel_system_state_reader) ++ (typeattributeset kernel_system_state_reader (ssh_agent_type )) ++ (typeattributeset cil_gen_require application_exec_type) ++ (typeattributeset application_exec_type (ssh_agent_exec_t )) ++ (typeattributeset cil_gen_require nsswitch_domain) ++ (typeattributeset nsswitch_domain (ssh_agent_type )) ++ (typeattributeset cil_gen_require entry_type) ++ (typeattributeset entry_type (ssh_agent_exec_t )) ++ (typeattributeset cil_gen_require non_auth_file_type) ++ (typeattributeset non_auth_file_type (ssh_agent_exec_t )) ++ (typeattributeset cil_gen_require domain) ++ (typeattributeset domain (ssh_agent_type )) ++ (allow sshd_t utype (process (dyntransition))) ++ (allow utype sshd_t (process (sigchld))) ++ (allow sshd_t utype (process (sigkill sigstop signull signal getattr))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (dir (ioctl read getattr lock open search))) ++ (allow utype device_t (dir (getattr open search))) ++ (allow utype device_t (lnk_file (read getattr))) ++ (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open))) ++ (allow utype sshd_devpts_t (chr_file (ioctl read write getattr lock append))) ++ (allow ssh_agent_type ssh_agent_exec_t (file (entrypoint))) ++ (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open))) ++ (allow utype ssh_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype ssh_t (process (transition))) ++ (typetransition utype ssh_exec_t process ssh_t) ++ (allow ssh_t utype (fd (use))) ++ (allow ssh_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow ssh_t utype (process (sigchld))) ++ (allow utype ssh_server (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown))) ++ (allow utype ssh_t (dir (ioctl read getattr lock open search))) ++ (allow utype ssh_t (file (ioctl read getattr lock open))) ++ (allow utype ssh_t (lnk_file (read getattr))) ++ (allow utype ssh_t (process (getattr))) ++ (allow utype ssh_t (process (sigchld sigkill sigstop signull signal))) ++ (allow ssh_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown))) ++ (allow ssh_t utype (unix_stream_socket (connectto))) ++ (allow ssh_t utype (key (view read write search link setattr create))) ++ (allow utype ssh_t (key (view read write search))) ++ (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype ssh_home_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype ssh_home_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype ssh_home_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype user_home_dir_t (dir (getattr open search))) ++ (allow utype user_home_dir_t (lnk_file (read getattr))) ++ (allow utype home_root_t (dir (getattr open search))) ++ (allow utype home_root_t (lnk_file (read getattr))) ++ (typemember ssh_t tmp_t dir user_tmp_t) ++ (allow ssh_t user_tmp_type (dir (mounton))) ++ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow ssh_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) ++ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow ssh_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow ssh_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) ++ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow ssh_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow ssh_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow ssh_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition ssh_t tmp_t fifo_file user_tmp_t) ++ (typetransition ssh_t tmp_t sock_file user_tmp_t) ++ (typetransition ssh_t tmp_t lnk_file user_tmp_t) ++ (typetransition ssh_t tmp_t dir user_tmp_t) ++ (typetransition ssh_t tmp_t file user_tmp_t) ++ (allow user_tmp_t tmpfs_t (filesystem (associate))) ++ (allow ssh_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (typetransition ssh_t tmpfs_t fifo_file user_tmp_t) ++ (typetransition ssh_t tmpfs_t sock_file user_tmp_t) ++ (typetransition ssh_t tmpfs_t lnk_file user_tmp_t) ++ (typetransition ssh_t tmpfs_t dir user_tmp_t) ++ (typetransition ssh_t tmpfs_t file user_tmp_t) ++ (allow ssh_t user_tmp_type (dir (getattr open search))) ++ (allow ssh_t user_tmp_type (dir (getattr relabelfrom relabelto))) ++ (allow ssh_t user_tmp_type (dir (getattr open search))) ++ (allow ssh_t user_tmp_type (file (getattr relabelfrom relabelto))) ++ (allow ssh_t user_tmp_type (dir (getattr open search))) ++ (allow ssh_t user_tmp_type (lnk_file (getattr relabelfrom relabelto))) ++ (allow ssh_t user_tmp_type (dir (getattr open search))) ++ (allow ssh_t user_tmp_type (sock_file (getattr relabelfrom relabelto))) ++ (allow ssh_t user_tmp_type (dir (getattr open search))) ++ (allow ssh_t user_tmp_type (fifo_file (getattr relabelfrom relabelto))) ++ (allow ssh_t user_tmp_type (file (map))) ++ (allow ssh_agent_type utype (process (signull))) ++ (allow ssh_agent_type ssh_agent_type (process (signull))) ++ (allow ssh_agent_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) ++ (allow utype ssh_agent_tmp_t (dir (getattr open search))) ++ (allow utype ssh_agent_tmp_t (sock_file (write getattr append open))) ++ (allow utype ssh_agent_type (unix_stream_socket (connectto))) ++ (allow utype cache_home_t (dir (getattr open search))) ++ (allow utype cache_home_t (sock_file (write getattr append open))) ++ (allow utype ssh_agent_type (unix_stream_socket (connectto))) ++ (allow utype ssh_agent_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) ++ (allow utype ssh_agent_type (process (sigchld sigkill sigstop signull signal))) ++ (allow utype ssh_agent_type (dir (ioctl read getattr lock open search))) ++ (allow utype ssh_agent_type (file (ioctl read getattr lock open))) ++ (allow utype ssh_agent_type (lnk_file (read getattr))) ++ (allow utype ssh_agent_type (process (getattr))) ++ (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype ssh_agent_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype ssh_agent_type (process (transition))) ++ (typetransition utype ssh_agent_exec_t process ssh_agent_type) ++ (allow ssh_agent_type utype (fd (use))) ++ (allow ssh_agent_type utype (fifo_file (ioctl read write getattr lock append))) ++ (allow ssh_agent_type utype (process (sigchld))) ++ (allow ssh_agent_type bin_t (dir (getattr open search))) ++ (allow ssh_agent_type bin_t (dir (ioctl read getattr lock open search))) ++ (allow ssh_agent_type bin_t (dir (getattr open search))) ++ (allow ssh_agent_type bin_t (lnk_file (read getattr))) ++ (allow ssh_agent_type shell_exec_t (file (ioctl read getattr map execute open))) ++ (allow ssh_agent_type utype (process (transition))) ++ (typetransition ssh_agent_type shell_exec_t process utype) ++ (allow ssh_agent_type bin_t (dir (getattr open search))) ++ (allow ssh_agent_type bin_t (lnk_file (read getattr))) ++ (allow ssh_agent_type bin_t (file (ioctl read getattr map execute open))) ++ (allow ssh_agent_type utype (process (transition))) ++ (allow ssh_agent_type usr_t (dir (getattr open search))) ++ (allow ssh_agent_type usr_t (lnk_file (read getattr))) ++ (allow ssh_agent_type usr_t (file (ioctl read getattr map execute open))) ++ (allow ssh_agent_type utype (process (transition))) ++ (typetransition ssh_agent_type bin_t process utype) ++ (typetransition ssh_agent_type usr_t process utype) ++ (allow ssh_agent_type device_t (dir (getattr open search))) ++ (allow ssh_agent_type device_t (dir (ioctl read getattr lock open search))) ++ (allow ssh_agent_type device_t (dir (getattr open search))) ++ (allow ssh_agent_type device_t (lnk_file (read getattr))) ++ (allow ssh_agent_type tty_device_t (chr_file (ioctl read write getattr lock append open))) ++ (allow ssh_agent_type user_home_t (file (ioctl read getattr map execute open))) ++ (allow ssh_agent_type utype (process (transition))) ++ (typetransition ssh_agent_type user_home_t process utype) ++ (allow ssh_agent_type user_home_dir_t (dir (getattr open search))) ++ (allow ssh_agent_type home_root_t (dir (getattr open search))) ++ (allow ssh_agent_type home_root_t (lnk_file (read getattr))) ++ (allow utype ssh_keygen_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ ) ++) ++ ++(macro confined_use_basic_commands_macro ((type utype) (role urole)) ++ (optional confined_use_basic_commands_optional_2 ++ (roleattributeset cil_gen_require urole) ++ (typeattributeset cil_gen_require init_var_lib_t) ++ (typeattributeset cil_gen_require utype) ++ (typeattributeset cil_gen_require login_confinedom) ++ (typeattributeset cil_gen_require var_t) ++ (typeattributeset cil_gen_require var_lib_t) ++ (typeattributeset cil_gen_require init_t) ++ (typeattributeset cil_gen_require var_log_t) ++ (typeattributeset cil_gen_require syslogd_var_run_t) ++ (typeattributeset cil_gen_require systemd_unit_file_type) ++ (typeattributeset cil_gen_require systemd_systemctl_exec_t) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require cgroup_t) ++ (typeattributeset cil_gen_require tmpfs_t) ++ (typeattributeset cil_gen_require sysfs_t) ++ (typeattributeset cil_gen_require efivarfs_t) ++ (typeattributeset cil_gen_require init_var_run_t) ++ (typeattributeset cil_gen_require var_run_t) ++ (typeattributeset cil_gen_require systemd_logind_var_run_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_t) ++ (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) ++ (typeattributeset cil_gen_require systemd_passwd_var_run_t) ++ (allow utype utype (process (setpgid))) ++ (allow utype utype (system (status))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype init_var_lib_t (dir (getattr open search))) ++ (allow utype init_var_lib_t (file (ioctl read getattr map open))) ++ (allow utype init_t (process (signal))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_log_t (dir (ioctl read getattr lock open search))) ++ (allow utype var_log_t (file (map))) ++ (allow utype var_log_t (dir (getattr open search))) ++ (allow utype var_log_t (file (ioctl read getattr lock open))) ++ (allow utype var_log_t (dir (getattr open search))) ++ (allow utype var_log_t (lnk_file (read getattr))) ++ (allow utype syslogd_var_run_t (dir (getattr open search))) ++ (allow utype syslogd_var_run_t (file (ioctl read getattr lock open map))) ++ (allow utype syslogd_var_run_t (dir (getattr open search))) ++ (allow utype syslogd_var_run_t (dir (ioctl read getattr lock open search))) ++ ;corecmd_bin_entry_type(utype) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (file (entrypoint))) ++ (allow utype bin_t (file (ioctl read getattr lock map execute open))) ++ (allow utype usr_t (file (entrypoint))) ++ (allow utype usr_t (file (ioctl read getattr lock map execute open))) ++ (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (ioctl read getattr lock open search))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (file (ioctl read getattr lock open))) ++ (allow utype cgroup_t (dir (getattr open search))) ++ (allow utype cgroup_t (lnk_file (read getattr))) ++ (allow utype tmpfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype sysfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (dir (getattr open search))) ++ (allow utype efivarfs_t (file (ioctl read getattr lock open))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_lib_t (dir (getattr open search))) ++ (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) ++ (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype init_t (dir (getattr open search))) ++ (allow utype init_t (file (ioctl read getattr lock open))) ++ (allow utype init_t (lnk_file (read getattr))) ++ (allow utype init_t (unix_stream_socket (sendto))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype init_var_run_t (sock_file (write getattr append open))) ++ (allow utype init_t (unix_stream_socket (connectto))) ++ (allow utype init_t (unix_stream_socket (getattr))) ++ (dontaudit utype self (process (setrlimit))) ++ (dontaudit utype self (capability (sys_resource))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) ++ (allow utype var_t (lnk_file (read getattr))) ++ (allow utype var_run_t (lnk_file (read getattr))) ++ (allow utype var_t (dir (getattr open search))) ++ (allow utype var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (dir (getattr open search))) ++ (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) ++ (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) ++ (allow utype init_var_run_t (dir (getattr open search))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) ++ (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) ++ (allow systemd_passwd_agent_t utype (process (signull))) ++ (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) ++ (dontaudit utype self (capability (net_admin sys_ptrace))) ++ (allow utype systemd_unit_file_type (service (status))) ++ (optional confined_use_basic_commands_optional_3 ++ (typeattributeset cil_gen_require adjtime_t) ++ (typeattributeset cil_gen_require etc_t) ++ (allow utype etc_t (dir (ioctl read getattr lock open search))) ++ (allow utype adjtime_t (file (ioctl read getattr lock open))) ++ ) ++ (optional confined_use_basic_commands_optional_4 ++ (typeattributeset cil_gen_require mandb_cache_t) ++ (allow utype mandb_cache_t (file (map))) ++ ) ++ (optional confined_use_basic_commands_optional_5 ++ (roleattributeset cil_gen_require passwd_roles) ++ (typeattributeset cil_gen_require bin_t) ++ (typeattributeset cil_gen_require passwd_t) ++ (typeattributeset cil_gen_require passwd_exec_t) ++ (roleattributeset cil_gen_require passwd_roles) ++ (roleattributeset passwd_roles (urole )) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (lnk_file (read getattr))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype bin_t (dir (getattr open search))) ++ (allow utype passwd_exec_t (file (ioctl read getattr map execute open))) ++ (allow utype passwd_t (process (transition))) ++ (typetransition utype passwd_exec_t process passwd_t) ++ (allow passwd_t utype (fd (use))) ++ (allow passwd_t utype (fifo_file (ioctl read write getattr lock append))) ++ (allow passwd_t utype (process (sigchld))) ++ ) ++ ) ++) ++ ++;(call confinedom_admin_commands_macro (u_t u_r u_sudo_t)) ++;(call confinedom_graphical_login_macro (u_t u_r u_dbus_t)) ++;(call confinedom_mozilla_usage_macro (u_t u_r)) ++;(call confinedom_networking_macro (u_t u_r)) ++;(call confinedom_security_advanced_macro (u_t u_r u_sudo_t u_userhelper_t)) ++;(call confinedom_security_basic_macro (u_t u_r)) ++;(call confinedom_sudo_macro (u_t u_r u_sudo_t u_sudo_tmp_t)) ++;(call confinedom_user_login_macro (u_t u_r u_gkeyringd_t u_dbus_t u_exec_content)) ++;(call confined_ssh_connect_macro (u_t u_r u_ssh_agent_t)) ++;(call confined_use_basic_commands_macro (u_t u_r)) +-- +2.41.0 + diff --git a/0002-Add-tests-covering-confined-user-policy-generation.patch b/0002-Add-tests-covering-confined-user-policy-generation.patch new file mode 100644 index 0000000..280257b --- /dev/null +++ b/0002-Add-tests-covering-confined-user-policy-generation.patch @@ -0,0 +1,170 @@ +From bf1c8b2491b6f3eca2e519fb18d7d2143acc54fc Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 20 Dec 2023 14:33:27 +0100 +Subject: [PATCH] Add tests covering confined user policy generation + +Signed-off-by: Vit Mojzis +--- + tests/test_confined_abcdgilmns.cil | 24 ++++++++++++++++++++ + tests/test_confined_cla.cil | 15 +++++++++++++ + tests/test_confined_lb.cil | 12 ++++++++++ + tests/test_confined_lsid.cil | 17 +++++++++++++++ + tests/test_main.py | 35 +++++++++++++++++++++++++----- + 5 files changed, 98 insertions(+), 5 deletions(-) + create mode 100644 tests/test_confined_abcdgilmns.cil + create mode 100644 tests/test_confined_cla.cil + create mode 100644 tests/test_confined_lb.cil + create mode 100644 tests/test_confined_lsid.cil + +diff --git a/tests/test_confined_abcdgilmns.cil b/tests/test_confined_abcdgilmns.cil +new file mode 100644 +index 0000000..5fd619f +--- /dev/null ++++ b/tests/test_confined_abcdgilmns.cil +@@ -0,0 +1,24 @@ ++(boolean my_container_exec_content true) ++(role my_container_r) ++(type my_container_dbus_t) ++(type my_container_gkeyringd_t) ++(type my_container_ssh_agent_t) ++(type my_container_sudo_t) ++(type my_container_sudo_tmp_t) ++(type my_container_t) ++(type my_container_userhelper_t) ++(user my_container_u) ++(userrole my_container_u my_container_r) ++(userlevel my_container_u (s0)) ++(userrange my_container_u ((s0 ) (s0 (c0)))) ++ ++(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t)) ++(call confinedom_graphical_login_macro (my_container_t my_container_r my_container_dbus_t)) ++(call confinedom_mozilla_usage_macro (my_container_t my_container_r)) ++(call confinedom_networking_macro (my_container_t my_container_r)) ++(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t)) ++(call confinedom_security_basic_macro (my_container_t my_container_r)) ++(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t)) ++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) ++(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t)) ++(call confined_use_basic_commands_macro (my_container_t my_container_r)) +\ No newline at end of file +diff --git a/tests/test_confined_cla.cil b/tests/test_confined_cla.cil +new file mode 100644 +index 0000000..a633aaa +--- /dev/null ++++ b/tests/test_confined_cla.cil +@@ -0,0 +1,15 @@ ++(boolean my_container_exec_content true) ++(role my_container_r) ++(type my_container_dbus_t) ++(type my_container_gkeyringd_t) ++(type my_container_ssh_agent_t) ++(type my_container_sudo_t) ++(type my_container_t) ++(user my_container_u) ++(userrole my_container_u my_container_r) ++(userlevel my_container_u (s0)) ++(userrange my_container_u ((s0 ) (s0 (c0)))) ++ ++(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t)) ++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) ++(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t)) +\ No newline at end of file +diff --git a/tests/test_confined_lb.cil b/tests/test_confined_lb.cil +new file mode 100644 +index 0000000..3e3c997 +--- /dev/null ++++ b/tests/test_confined_lb.cil +@@ -0,0 +1,12 @@ ++(boolean my_container_exec_content true) ++(role my_container_r) ++(type my_container_dbus_t) ++(type my_container_gkeyringd_t) ++(type my_container_t) ++(user my_container_u) ++(userrole my_container_u my_container_r) ++(userlevel my_container_u (s0)) ++(userrange my_container_u ((s0 ) (s0 (c0)))) ++ ++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) ++(call confined_use_basic_commands_macro (my_container_t my_container_r)) +\ No newline at end of file +diff --git a/tests/test_confined_lsid.cil b/tests/test_confined_lsid.cil +new file mode 100644 +index 0000000..8719420 +--- /dev/null ++++ b/tests/test_confined_lsid.cil +@@ -0,0 +1,17 @@ ++(boolean my_container_exec_content true) ++(role my_container_r) ++(type my_container_dbus_t) ++(type my_container_gkeyringd_t) ++(type my_container_sudo_t) ++(type my_container_sudo_tmp_t) ++(type my_container_t) ++(type my_container_userhelper_t) ++(user my_container_u) ++(userrole my_container_u my_container_r) ++(userlevel my_container_u (s0)) ++(userrange my_container_u ((s0 ) (s0 (c0)))) ++ ++(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t)) ++(call confinedom_security_basic_macro (my_container_t my_container_r)) ++(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t)) ++(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content)) +\ No newline at end of file +diff --git a/tests/test_main.py b/tests/test_main.py +index fb6a9ab..0c73861 100644 +--- a/tests/test_main.py ++++ b/tests/test_main.py +@@ -369,7 +369,26 @@ class TestBase(unittest.TestCase): + self.assert_templates(output, ["base_container"]) + self.assert_policy(test_file("test_devices.podman.cil")) + +- def run_udica(self, args): ++ # Confined user tests ++ def test_confined_user(self): ++ """udica confined_user --level s0 --range s0:c0 my_container""" ++ for arg in ["cla", "lb", "lsid", "abcdgilmns"]: ++ output = self.run_udica( ++ [ ++ "udica", ++ "confined_user", ++ "-{}".format(arg), ++ "--level", ++ "s0", ++ "--range", ++ "s0:c0", ++ "my_container", ++ ], ++ True, ++ ) ++ self.assert_policy(test_file("test_confined_{}.cil".format(arg))) ++ ++ def run_udica(self, args, confined=False): + with patch("sys.argv", args): + with patch("sys.stderr.write") as mock_err, patch( + "sys.stdout.write" +@@ -383,10 +402,16 @@ class TestBase(unittest.TestCase): + udica.__main__.main() + mock_err.assert_not_called() + +- self.assertRegex(mock_out.output, "Policy my_container created") +- self.assertRegex( +- mock_out.output, "--security-opt label=type:my_container.process" +- ) ++ if confined: ++ self.assertRegex(mock_out.output, "semodule -i my_container.cil") ++ self.assertRegex( ++ mock_out.output, "semanage login -a -s my_container_u my_container" ++ ) ++ else: ++ self.assertRegex(mock_out.output, "Policy my_container created") ++ self.assertRegex( ++ mock_out.output, "--security-opt label=type:my_container.process" ++ ) + + return mock_out.output + +-- +2.41.0 + diff --git a/udica.spec b/udica.spec index 1a7a9fc..21b9268 100644 --- a/udica.spec +++ b/udica.spec @@ -1,9 +1,11 @@ Summary: A tool for generating SELinux security policies for containers Name: udica Version: 0.2.8 -Release: 1%{?dist} +Release: 2%{?dist} Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz -#git format-patch -N 4a64ff7c1b8116a1894e72eee2a19706e970001f -- . ':!.cirrus.yml' ':!.github' +#git format-patch -N v0.2.8 -- . ':!.cirrus.yml' ':!.github' +Patch0001: 0001-Add-option-to-generate-custom-policy-for-a-confined-.patch +Patch0002: 0002-Add-tests-covering-confined-user-policy-generation.patch License: GPL-3.0-or-later BuildArch: noarch Url: https://github.com/containers/udica @@ -38,6 +40,7 @@ inspection of container JSON file. %{__python2} setup.py install --single-version-externally-managed --root=%{buildroot} %endif +install --directory %{buildroot}%{_datadir}/udica/macros install --directory %{buildroot}%{_mandir}/man8 install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 @@ -46,7 +49,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 %{_bindir}/udica %dir %{_datadir}/udica %dir %{_datadir}/udica/ansible +%dir %{_datadir}/udica/macros %{_datadir}/udica/ansible/* +%{_datadir}/udica/macros/* %if 0%{?fedora} || 0%{?rhel} > 7 %license LICENSE @@ -59,6 +64,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 %endif %changelog +* Thu Dec 21 2023 Vit Mojzis - 0.2.8-2 +- Add option to generate custom policy for a confined user + * Wed Nov 29 2023 Vit Mojzis - 0.2.8-1 - New release