From 21aa1fb602540d26e3ccad46ab59922da1810dd8 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 29 Nov 2023 10:38:48 +0100 Subject: [PATCH] Add option to generate custom policy for a confined user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Udica can now generate cil policy for a confined user using a list of macros. The macros are based on policy templates created by Patrik Končitý: https://github.com/Koncpa/confined-users-policy Signed-off-by: Vit Mojzis --- setup.py | 1 + udica/__main__.py | 332 +- udica/confined_user.py | 134 + udica/macros/confined_user_macros.cil | 4367 +++++++++++++++++++++++++ 4 files changed, 4719 insertions(+), 115 deletions(-) create mode 100644 udica/confined_user.py create mode 100644 udica/macros/confined_user_macros.cil diff --git a/setup.py b/setup.py index deb6457..d3f20f4 100644 --- a/setup.py +++ b/setup.py @@ -37,6 +37,7 @@ setuptools.setup( data_files=[ ("/usr/share/licenses/udica", ["LICENSE"]), ("/usr/share/udica/ansible", ["udica/ansible/deploy-module.yml"]), + ("/usr/share/udica/macros", ["udica/macros/confined_user_macros.cil"]), ], # scripts=["bin/udica"], entry_points={"console_scripts": ["udica=udica.__main__:main"]}, diff --git a/udica/__main__.py b/udica/__main__.py index 43d2e43..2bbd401 100644 --- a/udica/__main__.py +++ b/udica/__main__.py @@ -13,8 +13,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -import subprocess import argparse +import subprocess +import sys # import udica from udica.parse import parse_avc_file @@ -25,116 +26,214 @@ from udica.policy import create_policy, load_policy, generate_playbook def get_args(): - parser = argparse.ArgumentParser( - description="Script generates SELinux policy for running container." - ) - parser.add_argument("-V", "--version", action="version", version=version) - parser.add_argument( - type=str, help="Name for SELinux policy module", dest="ContainerName" - ) - parser.add_argument( - "-i", - "--container-id", - type=str, - help="Running container ID", - dest="ContainerID", - default=None, - ) - parser.add_argument( - "-j", - "--json", - help='Load json from this file, use "-j -" for stdin', - required=False, - dest="JsonFile", - default=None, - ) - parser.add_argument( - "--full-network-access", - help="Allow container full Network access ", - required=False, - dest="FullNetworkAccess", - action="store_true", - ) - parser.add_argument( - "--tty-access", - help="Allow container to read and write the controlling terminal ", - required=False, - dest="TtyAccess", - action="store_true", - ) - parser.add_argument( - "--X-access", - help="Allow container to communicate with Xserver ", - required=False, - dest="XAccess", - action="store_true", - ) - parser.add_argument( - "--virt-access", - help="Allow container to communicate with libvirt ", - required=False, - dest="VirtAccess", - action="store_true", - ) - parser.add_argument( - "-s", - "--stream-connect", - help="Allow container to stream connect with given SELinux domain ", - required=False, - dest="StreamConnect", - ) - parser.add_argument( - "-l", - "--load-modules", - help="Load templates and module created by this tool ", - required=False, - dest="LoadModules", - action="store_true", - ) - parser.add_argument( - "-c", - "--caps", - help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', - required=False, - dest="Caps", - default=None, - ) - parser.add_argument( - "--devices", - type=str, - help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', - dest="Devices", - required=False, - default=None, - ) - parser.add_argument( - "-d", - "--ansible", - help="Generate ansible playbook to deploy SELinux policy for containers ", - required=False, - dest="Ansible", - action="store_true", - ) - parser.add_argument( - "-a", - "--append-rules", - type=str, - help="Append more SELinux allow rules from file", - dest="FileAVCS", - required=False, - default=None, - ) - parser.add_argument( - "-e", - "--container-engine", - type=str, - help="Specify which container engine is used for the inspected container (supports: {})".format( - ", ".join(ENGINE_ALL) - ), - dest="ContainerEngine", - required=False, - default="-", - ) + if "confined_user" in sys.argv: + # set up confined_user parser (do not show normal "udica" options) + parser = argparse.ArgumentParser( + description="SELinux confined user policy generator" + ) + parser.add_argument("confined_user") + parser.add_argument( + "-a", + "--admin_commands", + action="store_true", + default=False, + dest="admin_commands", + help="Use administrative commands (vipw, passwd, ...)", + ) + parser.add_argument( + "-g", + "--graphical_login", + action="store_true", + default=False, + dest="graphical_login", + help="Use graphical login environment", + ) + parser.add_argument( + "-m", + "--mozilla_usage", + action="store_true", + default=False, + dest="mozilla_usage", + help="Use mozilla firefox", + ) + parser.add_argument( + "-n", + "--networking", + action="store_true", + default=False, + dest="networking", + help="Manage basic networking (ip, ifconfig, traceroute, tcpdump, ...)", + ) + parser.add_argument( + "-d", + "--security_advanced", + action="store_true", + default=False, + dest="security_advanced", + help="Manage SELinux settings (semanage, semodule, sepolicy, ...)", + ) + parser.add_argument( + "-i", + "--security_basic", + action="store_true", + default=False, + dest="security_basic", + help="Use read-only security-related tools (seinfo, getsebool, sesearch, ...)", + ) + parser.add_argument( + "-s", + "--sudo", + action="store_true", + default=False, + dest="sudo", + help="Run commands as root using sudo", + ) + parser.add_argument( + "-l", + "--user_login", + action="store_true", + default=False, + dest="user_login", + help="Basic rules common to all users (tty, pty, ...)", + ) + parser.add_argument( + "-c", + "--ssh_connect", + action="store_true", + default=False, + dest="ssh_connect", + help="Connect over SSH", + ) + parser.add_argument( + "-b", + "--basic_commands", + action="store_true", + default=False, + dest="basic_commands", + help="Use basic commands (date, ls, ps, man, systemctl -user, journalctl -user, passwd, ...)", + ) + parser.add_argument("--level", nargs="?", default="s0", dest="level") + parser.add_argument( + "--range", nargs="?", default="s0-s0:c0.c1023", dest="range" + ) + parser.add_argument("uname") + else: + # set up normal udica parser + parser = argparse.ArgumentParser( + description="Script generates SELinux policy for running container.", + prog="udica [confined_user]", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog="""Additional options: + confined_user Generate policy for a new confined user instead of a container policy""", + ) + parser.add_argument("-V", "--version", action="version", version=version) + parser.add_argument( + type=str, help="Name for SELinux policy module", dest="ContainerName" + ) + parser.add_argument( + "-i", + "--container-id", + type=str, + help="Running container ID", + dest="ContainerID", + default=None, + ) + parser.add_argument( + "-j", + "--json", + help='Load json from this file, use "-j -" for stdin', + required=False, + dest="JsonFile", + default=None, + ) + parser.add_argument( + "--full-network-access", + help="Allow container full Network access ", + required=False, + dest="FullNetworkAccess", + action="store_true", + ) + parser.add_argument( + "--tty-access", + help="Allow container to read and write the controlling terminal ", + required=False, + dest="TtyAccess", + action="store_true", + ) + parser.add_argument( + "--X-access", + help="Allow container to communicate with Xserver ", + required=False, + dest="XAccess", + action="store_true", + ) + parser.add_argument( + "--virt-access", + help="Allow container to communicate with libvirt ", + required=False, + dest="VirtAccess", + action="store_true", + ) + parser.add_argument( + "-s", + "--stream-connect", + help="Allow container to stream connect with given SELinux domain ", + required=False, + dest="StreamConnect", + ) + parser.add_argument( + "-l", + "--load-modules", + help="Load templates and module created by this tool ", + required=False, + dest="LoadModules", + action="store_true", + ) + parser.add_argument( + "-c", + "--caps", + help='List of capabilities, e.g "-c AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"', + required=False, + dest="Caps", + default=None, + ) + parser.add_argument( + "--devices", + type=str, + help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', + dest="Devices", + required=False, + default=None, + ) + parser.add_argument( + "-d", + "--ansible", + help="Generate ansible playbook to deploy SELinux policy for containers ", + required=False, + dest="Ansible", + action="store_true", + ) + parser.add_argument( + "-a", + "--append-rules", + type=str, + help="Append more SELinux allow rules from file", + dest="FileAVCS", + required=False, + default=None, + ) + parser.add_argument( + "-e", + "--container-engine", + type=str, + help="Specify which container engine is used for the inspected container (supports: {})".format( + ", ".join(ENGINE_ALL) + ), + dest="ContainerEngine", + required=False, + default="-", + ) + args = parser.parse_args() return vars(args) @@ -142,6 +241,13 @@ def get_args(): def main(): opts = get_args() + # generate confined user policy + if "confined_user" in opts.keys(): + from udica.confined_user import create_confined_user_policy + + create_confined_user_policy(opts) + return + if opts["ContainerID"]: container_inspect_raw = None for backend in [ENGINE_PODMAN, ENGINE_DOCKER]: @@ -167,8 +273,6 @@ def main(): if opts["JsonFile"]: if opts["JsonFile"] == "-": - import sys - container_inspect_raw = sys.stdin.read() else: import os.path @@ -182,8 +286,6 @@ def main(): if (not opts["JsonFile"]) and (not opts["ContainerID"]): try: - import sys - container_inspect_raw = sys.stdin.read() except Exception as e: print("Couldn't parse inspect data from stdin:", e) diff --git a/udica/confined_user.py b/udica/confined_user.py new file mode 100644 index 0000000..796f543 --- /dev/null +++ b/udica/confined_user.py @@ -0,0 +1,134 @@ +# Copyright (C) 2023 Vit Mojzis, +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +MACRO_CALLS = { + "admin_commands": ( + "(call confinedom_admin_commands_macro ({}))", + ("_t", "_r", "_sudo_t"), + ), + "graphical_login": ( + "(call confinedom_graphical_login_macro ({}))", + ("_t", "_r", "_dbus_t"), + ), + "mozilla_usage": ("(call confinedom_mozilla_usage_macro ({}))", ("_t", "_r")), + "networking": ("(call confinedom_networking_macro ({}))", ("_t", "_r")), + "security_advanced": ( + "(call confinedom_security_advanced_macro ({}))", + ("_t", "_r", "_sudo_t", "_userhelper_t"), + ), + "security_basic": ("(call confinedom_security_basic_macro ({}))", ("_t", "_r")), + "sudo": ( + "(call confinedom_sudo_macro ({}))", + ("_t", "_r", "_sudo_t", "_sudo_tmp_t"), + ), + "user_login": ( + "(call confinedom_user_login_macro ({}))", + ("_t", "_r", "_gkeyringd_t", "_dbus_t", "_exec_content"), + ), + "ssh_connect": ( + "(call confined_ssh_connect_macro ({}))", + ("_t", "_r", "_ssh_agent_t"), + ), + "basic_commands": ("(call confined_use_basic_commands_macro ({}))", ("_t", "_r")), +} + +TYPE_DEFS = { + "_t": "(type {}_t)", + "_r": "(role {}_r)", + "_dbus_t": "(type {}_dbus_t)", + "_gkeyringd_t": "(type {}_gkeyringd_t)", + "_ssh_agent_t": "(type {}_ssh_agent_t)", + "_sudo_t": "(type {}_sudo_t)", + "_sudo_tmp_t": "(type {}_sudo_tmp_t)", + "_userhelper_t": "(type {}_userhelper_t)", + "_exec_content": "(boolean {}_exec_content true)", +} + + +def create_confined_user_policy(opts): + # MCS/MLS range handling - needs to be separated into up-to 4 parts + # s0-s15:c0.c1023 -> (userrange {uname}_u ((s0 ) (s15 (range c0 c1023)))) + # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0)))) + mls_range = opts["range"] + mcs_range = "" + # separate MCS portion + if ":" in opts["range"]: + # s0:c0.c1023 + (mls_range, mcs_range) = opts["range"].split(":") + if "-" in mls_range: + # s0-s15 + (range_l, range_h) = mls_range.split("-") + else: + # s0 + range_l = mls_range + range_h = range_l + if mcs_range != "": + if "." in mcs_range: + # s0:c0.c1023 -> (userrange {uname}_u ((s0 ) (s0 (range c0 c1023)))) + (mcs_range_l, mcs_range_h) = mcs_range.split(".") + mcs_range = "(range {} {})".format(mcs_range_l, mcs_range_h) + else: + # s0:c0 -> (userrange {uname}_u ((s0 ) (s0 (c0)))) + mcs_range = "({})".format(mcs_range) + + range = "({} ) ({} {})".format(range_l, range_h, mcs_range) + + defs = set() + + policy = """ +(user {uname}_u) +(userrole {uname}_u {uname}_r) +(userlevel {uname}_u ({level})) +(userrange {uname}_u ({range})) +""".format( + uname=opts["uname"], level=opts["level"], range=range + ) + + # process arguments determining which macros are to be used + for arg, value in opts.items(): + if not value or arg not in MACRO_CALLS.keys(): + continue + for param in MACRO_CALLS[arg][1]: + defs.add(TYPE_DEFS[param].format(opts["uname"])) + policy += "\n" + ( + MACRO_CALLS[arg][0].format( + " ".join([opts["uname"] + s for s in MACRO_CALLS[arg][1]]) + ) + ) + # print("{}: {}".format(arg, value)) + + policy = "\n".join(sorted(defs)) + policy + + with open("{}.cil".format(opts["uname"]), "w") as f: + f.write(policy) + + print("Created {}.cil".format(opts["uname"])) + print("Run the following commands to apply the new policy:") + print("Install the new policy module") + print( + "# semodule -i {}.cil /usr/share/udica/macros/confined_user_macros.cil".format( + opts["uname"] + ) + ) + print("Create a default context file for the new user") + print( + "# sed -e ’s|user|{}|g’ /etc/selinux/targeted/contexts/users/user_u > /etc/selinux/targeted/contexts/users/{}_u".format( + opts["uname"], opts["uname"] + ) + ) + print("Map the new selinux user to an existing user account") + print("# semanage login -a -s {}_u {}".format(opts["uname"], opts["uname"])) + print("Fix labels in the user's home direcotry") + print("# restorecon -RvF /home/{}".format(opts["uname"])) diff --git a/udica/macros/confined_user_macros.cil b/udica/macros/confined_user_macros.cil new file mode 100644 index 0000000..ddb5689 --- /dev/null +++ b/udica/macros/confined_user_macros.cil @@ -0,0 +1,4367 @@ +(typeattribute login_confinedom) + +(optional confined_transition_userdomain_optional + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require xdm_t) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset cil_gen_require xsession_exec_t) + (allow xdm_t xsession_exec_t (file (ioctl read getattr map execute open))) + (allow xdm_t login_confinedom (process (transition))) + (allow login_confinedom xdm_t (fd (use))) + (allow login_confinedom xdm_t (fifo_file (ioctl read write getattr lock append open))) + (allow login_confinedom xdm_t (process (sigchld))) +) + +(optional confined_xsession_spec_domtrans_conf_users_optional + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require xdm_t) + (typeattributeset cil_gen_require login_confinedom) + (allow init_t login_confinedom (process (transition))) +) + +(macro confinedom_admin_commands_macro ((type utype) (role urole) (type sudo_type)) + (optional confinedom_admin_commands_optional_2 + (roleattributeset cil_gen_require urole) + (roleattributeset cil_gen_require iptables_roles) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require sudo_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require usbmon_device_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require policy_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require modules_object_t) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require files_unconfined_type) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require init_var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require iptables_t) + (typeattributeset cil_gen_require iptables_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require proc_net_t) + (typeattributeset cil_gen_require auditd_t) + (typeattributeset cil_gen_require auditd_etc_t) + (typeattributeset cil_gen_require auditd_log_t) + (typeattributeset cil_gen_require auditd_var_run_t) + (typeattributeset cil_gen_require auditd_initrc_exec_t) + (typeattributeset cil_gen_require auditd_unit_file_t) + (typeattributeset cil_gen_require auditctl_t) + (typeattributeset cil_gen_require auditctl_exec_t) + (typeattributeset cil_gen_require initrc_t) + (typeattributeset cil_gen_require initrc_transition_domain) + (typeattributeset cil_gen_require filesystem_type) + (typeattributeset cil_gen_require can_system_change) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (typeattributeset cil_gen_require syslogd_t) + (typeattributeset cil_gen_require klogd_t) + (typeattributeset cil_gen_require syslog_conf_t) + (typeattributeset cil_gen_require syslogd_tmp_t) + (typeattributeset cil_gen_require syslogd_var_lib_t) + (typeattributeset cil_gen_require syslogd_var_run_t) + (typeattributeset cil_gen_require klogd_var_run_t) + (typeattributeset cil_gen_require klogd_tmp_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require syslogd_initrc_exec_t) + (typeattributeset cil_gen_require logfile) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require passwd_t) + (typeattributeset cil_gen_require passwd_exec_t) + (roleattributeset cil_gen_require iptables_roles) + (roleattributeset iptables_roles (urole )) + (roleattributeset cil_gen_require urole) + (roletype urole auditctl_t) + (typeattributeset cil_gen_require initrc_transition_domain) + (typeattributeset initrc_transition_domain (utype )) + (typeattributeset cil_gen_require files_unconfined_type) + (typeattributeset files_unconfined_type (utype )) + (typeattributeset cil_gen_require can_system_change) + (typeattributeset can_system_change (utype )) + (allow utype self (capability (net_raw))) + (allow utype self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow utype self (packet_socket (map))) + (allow sudo_type utype (unix_stream_socket (connectto))) + (allow sudo_type self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (capability (net_raw))) + (allow sudo_type self (netlink_generic_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (netlink_netfilter_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (netlink_rdma_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow sudo_type self (packet_socket (map))) + (allow utype domain (process (getattr))) + (allow utype usbmon_device_t (chr_file (map))) + (allow utype device_t (dir (getattr open search))) + (allow utype usbmon_device_t (chr_file (ioctl read getattr lock open))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type non_auth_file_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type non_auth_file_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type policy_config_t (dir (ioctl write getattr lock open add_name search))) + (allow sudo_type policy_config_t (file (create getattr open))) + (allow sudo_type policy_config_t (dir (getattr open search))) + (allow sudo_type policy_config_t (file (ioctl write getattr lock append open))) + (allow sudo_type modules_object_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type modules_object_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type file_type (dir (ioctl read getattr lock open search))) + (allow sudo_type file_type (dir (getattr open search))) + (allow sudo_type file_type (lnk_file (read getattr))) + (allow sudo_type init_var_run_t (dir (ioctl read getattr lock open search))) + (allow sudo_type init_var_run_t (dir (ioctl write getattr lock open add_name search))) + (allow sudo_type init_var_run_t (dir (create getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_lib_t (dir (getattr open search))) + (allow sudo_type init_var_lib_t (dir (getattr open search))) + (allow sudo_type init_var_lib_t (file (ioctl read getattr map open))) + (allow sudo_type init_t (dir (getattr open search))) + (allow sudo_type init_t (file (ioctl read getattr lock open))) + (allow sudo_type init_t (lnk_file (read getattr))) + (allow sudo_type init_var_run_t (sock_file (write))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype iptables_exec_t (file (ioctl read getattr map execute open))) + (allow utype iptables_t (process (transition))) + (typetransition utype iptables_exec_t process iptables_t) + (allow iptables_t utype (fd (use))) + (allow iptables_t utype (fifo_file (ioctl read write getattr lock append))) + (allow iptables_t utype (process (sigchld))) + (allow utype iptables_exec_t (file (map))) + (allow sudo_type proc_t (dir (getattr open search))) + (allow sudo_type proc_net_t (dir (getattr open search))) + (allow sudo_type proc_net_t (file (ioctl read getattr lock open))) + (allow sudo_type proc_t (dir (getattr open search))) + (allow sudo_type proc_net_t (dir (getattr open search))) + (allow sudo_type proc_net_t (lnk_file (read getattr))) + (allow sudo_type proc_t (dir (getattr open search))) + (allow sudo_type proc_net_t (dir (ioctl read getattr lock open search))) + (allow utype auditd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype auditd_t (dir (ioctl read getattr lock open search))) + (allow utype auditd_t (file (ioctl read getattr lock open))) + (allow utype auditd_t (lnk_file (read getattr))) + (allow utype auditd_t (process (getattr))) + (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_etc_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_etc_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_log_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_log_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_log_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditctl_exec_t (file (ioctl read getattr map execute open))) + (allow utype auditctl_t (process (transition))) + (typetransition utype auditctl_exec_t process auditctl_t) + (allow auditctl_t utype (fd (use))) + (allow auditctl_t utype (fifo_file (ioctl read write getattr lock append))) + (allow auditctl_t utype (process (sigchld))) + (allow utype filesystem_type (dir (getattr open search))) + (allow utype auditd_initrc_exec_t (file (ioctl read getattr map execute open))) + (allow utype initrc_t (process (transition))) + (typetransition utype auditd_initrc_exec_t process initrc_t) + (allow initrc_t utype (fd (use))) + (allow initrc_t utype (fifo_file (ioctl read write getattr lock append))) + (allow initrc_t utype (process (sigchld))) + (allow utype auditd_initrc_exec_t (file (ioctl))) + (allow utype etc_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (allow utype auditd_unit_file_t (file (ioctl read getattr lock open))) + (allow utype auditd_unit_file_t (service (start stop status reload enable disable))) + (allow utype auditd_t (dir (ioctl read getattr lock open search))) + (allow utype auditd_t (file (ioctl read getattr lock open))) + (allow utype auditd_t (lnk_file (read getattr))) + (allow utype auditd_t (process (getattr))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype auditd_unit_file_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype auditd_unit_file_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (dir (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (lnk_file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (fifo_file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (dir (getattr open search))) + (allow utype auditd_unit_file_t (sock_file (getattr relabelfrom relabelto))) + (allow utype auditd_unit_file_t (service (start stop status reload enable disable))) + (allow utype self (capability2 (syslog))) + (allow utype syslogd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype klogd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype syslogd_t (dir (ioctl read getattr lock open search))) + (allow utype syslogd_t (file (ioctl read getattr lock open))) + (allow utype syslogd_t (lnk_file (read getattr))) + (allow utype syslogd_t (process (getattr))) + (allow utype klogd_t (dir (ioctl read getattr lock open search))) + (allow utype klogd_t (file (ioctl read getattr lock open))) + (allow utype klogd_t (lnk_file (read getattr))) + (allow utype klogd_t (process (getattr))) + (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype klogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype klogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype klogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslogd_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslog_conf_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslog_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslog_conf_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype etc_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype etc_t file syslog_conf_t) + (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_lib_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslogd_var_lib_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_lib_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype syslogd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype syslogd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype var_t (dir (getattr open search))) + (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype logfile (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype logfile (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype logfile (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype logfile (file (map))) + (allow utype logfile (dir (getattr relabelfrom relabelto))) + (allow utype logfile (file (getattr relabelfrom relabelto))) + (allow utype filesystem_type (dir (getattr open search))) + (allow utype syslogd_initrc_exec_t (file (ioctl read getattr map execute open))) + (allow utype initrc_t (process (transition))) + (typetransition utype syslogd_initrc_exec_t process initrc_t) + (allow initrc_t utype (fd (use))) + (allow initrc_t utype (fifo_file (ioctl read write getattr lock append))) + (allow initrc_t utype (process (sigchld))) + (allow utype syslogd_initrc_exec_t (file (ioctl))) + (allow utype etc_t (dir (getattr open search))) + (allow sudo_type home_root_t (dir (ioctl read getattr lock open search))) + (allow sudo_type home_root_t (lnk_file (read getattr))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow sudo_type user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition sudo_type user_home_dir_t fifo_file user_home_t) + (typetransition sudo_type user_home_dir_t sock_file user_home_t) + (typetransition sudo_type user_home_dir_t lnk_file user_home_t) + (typetransition sudo_type user_home_dir_t dir user_home_t) + (typetransition sudo_type user_home_dir_t file user_home_t) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type passwd_t (process (transition))) + (typetransition sudo_type passwd_exec_t process passwd_t) + (allow passwd_t sudo_type (fd (use))) + (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow passwd_t sudo_type (process (sigchld))) + (roletransition urole syslogd_initrc_exec_t process system_r) + (roletransition urole auditd_initrc_exec_t process system_r) + (roleallow urole system_r) + (roleallow urole system_r) + (booleanif (deny_ptrace) + (false + (allow utype auditd_t (process (ptrace))) + (allow utype klogd_t (process (ptrace))) + (allow utype syslogd_t (process (ptrace))) + ) + ) + (optional confinedom_admin_commands_optional_3 + (typeattributeset cil_gen_require tuned_t) + (allow utype tuned_t (dbus (send_msg))) + (allow tuned_t utype (dbus (send_msg))) + ) + (optional confinedom_admin_commands_optional_4 + (roleattributeset cil_gen_require wireshark_roles) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require wireshark_t) + (typeattributeset cil_gen_require wireshark_exec_t) + (typeattributeset cil_gen_require wireshark_home_t) + (typeattributeset cil_gen_require wireshark_tmp_t) + (typeattributeset cil_gen_require wireshark_tmpfs_t) + (roleattributeset cil_gen_require wireshark_roles) + (roleattributeset wireshark_roles (urole )) + (allow utype wireshark_exec_t (file (ioctl read getattr map execute open))) + (allow utype wireshark_t (process (transition))) + (typetransition utype wireshark_exec_t process wireshark_t) + (allow wireshark_t utype (fd (use))) + (allow wireshark_t utype (fifo_file (ioctl read write getattr lock append))) + (allow wireshark_t utype (process (sigchld))) + (allow utype wireshark_t (process (sigchld sigkill sigstop signull signal ptrace))) + (allow utype wireshark_t (dir (ioctl read getattr lock open search))) + (allow utype wireshark_t (file (ioctl read getattr lock open))) + (allow utype wireshark_t (lnk_file (read getattr))) + (allow utype wireshark_t (process (getattr))) + (allow utype wireshark_home_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype wireshark_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype wireshark_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype wireshark_home_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype wireshark_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype wireshark_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype wireshark_home_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads))) + (allow utype wireshark_tmpfs_t (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename watch watch_reads))) + (allow utype wireshark_tmpfs_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) + (allow utype wireshark_tmpfs_t (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype wireshark_t (shm (getattr read write associate unix_read unix_write lock))) + (typetransition utype user_home_dir_t dir ".wireshark" wireshark_home_t) + ) + ) +) + +(macro confinedom_graphical_login_macro ((type utype) (role urole) (type dbusd_type)) + + (optional confinedom_graphical_login_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require user_tmpfs_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require port_type) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require sound_device_t) + (typeattributeset cil_gen_require event_device_t) + (typeattributeset cil_gen_require v4l_device_t) + (typeattributeset cil_gen_require wireless_device_t) + (typeattributeset cil_gen_require configfile) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require lib_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require usbfs_t) + (typeattributeset cil_gen_require usb_device_t) + (typeattributeset cil_gen_require noxattrfs) + (typeattributeset cil_gen_require dosfs_t) + (typeattributeset cil_gen_require removable_device_t) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require sysctl_t) + (typeattributeset cil_gen_require sysctl_dev_t) + (typeattributeset cil_gen_require fonts_t) + (typeattributeset cil_gen_require locale_t) + (typeattributeset cil_gen_require mount_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require fuse_device_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset cil_gen_require nfs_t) + (typeattributeset cil_gen_require autofs_t) + (typeattributeset cil_gen_require cifs_t) + (typeattributeset cil_gen_require xauth_t) + (typeattributeset cil_gen_require iceauth_t) + (typeattributeset cil_gen_require dridomain) + (typeattributeset cil_gen_require x_userdomain) + (typeattributeset cil_gen_require root_xdrawable_t) + (typeattributeset cil_gen_require xdm_t) + (typeattributeset cil_gen_require xserver_t) + (typeattributeset cil_gen_require xproperty_t) + (typeattributeset cil_gen_require user_xproperty_t) + (typeattributeset cil_gen_require xevent_t) + (typeattributeset cil_gen_require client_xevent_t) + (typeattributeset cil_gen_require input_xevent_t) + (typeattributeset cil_gen_require user_input_xevent_t) + (typeattributeset cil_gen_require x_domain) + (typeattributeset cil_gen_require input_xevent_type) + (typeattributeset cil_gen_require xdrawable_type) + (typeattributeset cil_gen_require xcolormap_type) + (typeattributeset cil_gen_require xdm_var_run_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require userdomain) + (typeattributeset cil_gen_require xdm_log_t) + (typeattributeset cil_gen_require xdmhomewriter) + (roleattributeset cil_gen_require urole) + (roletype urole user_home_dir_t) + (roletype urole user_home_type) + (roletype urole xauth_t) + (roletype urole iceauth_t) + (typeattributeset cil_gen_require xcolormap_type) + (typeattributeset xcolormap_type (utype )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (bin_t usr_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (bin_t usr_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (bin_t usr_t )) + (typeattributeset cil_gen_require xdmhomewriter) + (typeattributeset xdmhomewriter (utype )) + (typeattributeset cil_gen_require xdrawable_type) + (typeattributeset xdrawable_type (utype )) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset userdom_filetrans_type (utype )) + (typeattributeset cil_gen_require x_domain) + (typeattributeset x_domain (utype )) + (typeattributeset cil_gen_require x_userdomain) + (typeattributeset x_userdomain (utype )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (bin_t usr_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (bin_t usr_t )) + (typeattributeset cil_gen_require dridomain) + (typeattributeset dridomain (utype )) + (allow utype bin_t (file (entrypoint))) + (allow utype bin_t (file (ioctl read getattr lock map execute open))) + (allow utype usr_t (file (entrypoint))) + (allow utype usr_t (file (ioctl read getattr lock map execute open))) + (allow utype port_type (tcp_socket (name_connect))) + (allow utype utype (process (getattr setrlimit execmem))) + (allow utype utype (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload undefined))) + (allow utype utype (netlink_kobject_uevent_socket (read))) + (allow utype device_t (dir (getattr open search))) + (allow utype sound_device_t (chr_file (ioctl write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype sound_device_t (chr_file (ioctl read getattr lock open))) + (allow utype sound_device_t (chr_file (map))) + (allow utype device_t (dir (getattr open search))) + (allow utype event_device_t (chr_file (ioctl read write getattr lock append))) + (allow utype device_t (dir (getattr open search))) + (allow utype v4l_device_t (chr_file (ioctl read getattr lock open))) + (allow utype device_t (dir (getattr open search))) + (allow utype v4l_device_t (chr_file (ioctl write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype wireless_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (getattr watch))) + (allow utype configfile (dir (ioctl read getattr lock open search))) + (allow utype configfile (dir (getattr open search))) + (allow utype configfile (file (ioctl read getattr lock open))) + (allow utype configfile (dir (getattr open search))) + (allow utype configfile (lnk_file (read getattr))) + (allow utype etc_t (dir (getattr watch))) + (allow utype home_root_t (dir (getattr watch))) + (allow utype lib_t (dir (getattr watch))) + (allow utype usr_t (dir (getattr watch))) + (allow utype usr_t (file (getattr watch))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr watch))) + (allow utype var_run_t (dir (getattr watch))) + (allow utype tmp_t (dir (getattr watch))) + (allow utype init_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow utype proc_t (dir (getattr open search))) + (allow utype sysctl_t (dir (getattr open search))) + (allow utype sysctl_dev_t (dir (getattr open search))) + (allow utype sysctl_dev_t (file (ioctl read getattr lock open))) + (allow utype proc_t (dir (getattr open search))) + (allow utype sysctl_t (dir (getattr open search))) + (allow utype sysctl_dev_t (dir (ioctl read getattr lock open search))) + (allow utype fonts_t (dir (getattr watch))) + (allow utype locale_t (dir (getattr open search))) + (allow utype locale_t (lnk_file (getattr watch))) + (allow utype mount_t (process (signal))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype default_context_t (dir (ioctl read getattr lock open search))) + (allow utype default_context_t (dir (getattr open search))) + (allow utype default_context_t (file (ioctl read getattr lock open))) + (allow utype fuse_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype user_tmp_t (file (execute))) + (typemember utype user_home_dir_t dir user_home_dir_t) + (allow utype user_home_t (dir (mounton))) + (allow utype user_home_t (file (entrypoint))) + (allow utype user_home_type (file (relabelfrom relabelto))) + (allow utype user_home_type (dir (relabelfrom relabelto))) + (allow utype user_home_type (lnk_file (relabelfrom relabelto))) + (allow utype user_home_type (chr_file (relabelfrom relabelto))) + (allow utype user_home_type (blk_file (relabelfrom relabelto))) + (allow utype user_home_type (sock_file (relabelfrom relabelto))) + (allow utype user_home_type (fifo_file (relabelfrom relabelto))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (dir (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (file (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (lnk_file (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (sock_file (getattr relabelfrom relabelto))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype user_home_type (fifo_file (getattr relabelfrom relabelto))) + (allow utype home_root_t (dir (ioctl read getattr lock open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_home_dir_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (typetransition utype root_xdrawable_t x_drawable utype) + (typetransition utype input_xevent_t x_event user_input_xevent_t) + (allow utype user_input_xevent_t (x_event (send))) + (allow utype user_input_xevent_t (x_synthetic_event (send))) + (allow utype user_input_xevent_t (x_event (receive))) + (allow utype user_input_xevent_t (x_synthetic_event (receive))) + (allow utype client_xevent_t (x_event (receive))) + (allow utype client_xevent_t (x_synthetic_event (receive))) + (allow utype xevent_t (x_event (send receive))) + (allow utype xevent_t (x_synthetic_event (send receive))) + (dontaudit utype input_xevent_type (x_event (send))) + (allow utype xdm_t (x_drawable (read add_child manage hide))) + (allow utype xdm_t (x_client (destroy))) + (allow utype root_xdrawable_t (x_drawable (write))) + (allow utype xserver_t (x_server (manage))) + (allow utype xserver_t (x_screen (saver_setattr saver_hide saver_show show_cursor hide_cursor))) + (allow utype xserver_t (x_pointer (get_property set_property manage))) + (allow utype xserver_t (x_keyboard (read manage freeze))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype xdm_var_run_t (dir (getattr open search))) + (allow utype xdm_var_run_t (sock_file (write getattr append open))) + (allow utype xdm_t (unix_stream_socket (connectto))) + (allow utype user_tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (sock_file (write getattr append open))) + (allow utype userdomain (unix_stream_socket (connectto))) + (allow utype xdm_log_t (file (getattr append))) + (booleanif (use_samba_home_dirs) + (true + (allow utype cifs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype cifs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cifs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype cifs_t (dir (mounton))) + (allow utype cifs_t (filesystem (mount))) + ) + ) + (booleanif (use_nfs_home_dirs) + (true + (allow utype nfs_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype nfs_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype nfs_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype autofs_t (dir (getattr open search))) + (allow utype nfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype nfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype autofs_t (dir (getattr open search))) + (allow utype nfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype autofs_t (dir (getattr open search))) + (allow utype nfs_t (dir (mounton))) + (allow utype nfs_t (filesystem (mount))) + ) + ) + (booleanif (selinuxuser_rw_noexattrfile) + (true + (allow utype removable_device_t (blk_file (ioctl write getattr lock append open))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype removable_device_t (blk_file (ioctl read getattr lock open))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype dosfs_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype dosfs_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype dosfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype noxattrfs (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype noxattrfs (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype noxattrfs (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype usb_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype device_t (dir (getattr open search))) + (allow utype usbfs_t (lnk_file (read getattr))) + (allow utype usbfs_t (dir (getattr open search))) + (allow utype usbfs_t (file (ioctl read write getattr lock append open))) + (allow utype usbfs_t (dir (getattr open search))) + (allow utype usbfs_t (dir (ioctl read getattr lock open search))) + (allow utype usbfs_t (dir (getattr open search))) + ) + ) + (optional confinedom_graphical_login_optional_3 + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require alsa_var_lib_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype alsa_var_lib_t (dir (getattr open search))) + (allow utype alsa_var_lib_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_graphical_login_optional_4 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require fwupd_cache_t) + (allow utype var_t (dir (getattr open search))) + (allow utype fwupd_cache_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype fwupd_cache_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + ) + (optional confinedom_graphical_login_optional_5 + ;(type dbusd_type) + (roletype object_r dbusd_type) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require system_dbusd_t) + (typeattributeset cil_gen_require session_dbusd_tmp_t) + (typeattributeset cil_gen_require dbusd_unconfined) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset cil_gen_require dbusd_exec_t) + (typeattributeset cil_gen_require dbusd_etc_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require system_dbusd_var_run_t) + (typeattributeset cil_gen_require system_dbusd_var_lib_t) + (typeattributeset cil_gen_require urandom_device_t) + (roleattributeset cil_gen_require urole) + (roletype urole dbusd_type) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (dbusd_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (dbusd_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (dbusd_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (dbusd_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (dbusd_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (dbusd_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (dbusd_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (dbusd_type )) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset session_bus_type (dbusd_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (dbusd_type )) + (allow utype system_dbusd_t (dbus (acquire_svc))) + (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search))) + (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open))) + (allow dbusd_type dbusd_exec_t (file (entrypoint))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type security_t (lnk_file (read getattr))) + (allow dbusd_type sysfs_t (filesystem (getattr))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type security_t (filesystem (getattr))) + (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt))) + (allow dbusd_type utype (unix_dgram_socket (sendto))) + (allow utype dbusd_type (dbus (acquire_svc send_msg))) + (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg))) + (allow utype system_dbusd_t (dbus (acquire_svc send_msg))) + (allow utype dbusd_type (process (noatsecure siginh rlimitinh))) + (allow dbusd_type utype (dbus (send_msg))) + (allow utype dbusd_type (dbus (send_msg))) + (allow dbusd_type utype (system (start reload))) + (allow dbusd_type session_dbusd_tmp_t (service (start stop))) + (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype dbusd_exec_t (file (ioctl read getattr map execute open))) + (allow utype dbusd_type (process (transition))) + ;(typetransition utype dbusd_exec_t process dbusd_type) + (allow dbusd_type utype (fd (use))) + (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append))) + (allow dbusd_type utype (process (sigchld))) + (allow utype dbusd_type (dir (ioctl read getattr lock open search))) + (allow utype dbusd_type (file (ioctl read getattr lock open))) + (allow utype dbusd_type (lnk_file (read getattr))) + (allow utype dbusd_type (process (getattr))) + (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type bin_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (allow dbusd_type usr_t (dir (getattr open search))) + (allow dbusd_type usr_t (lnk_file (read getattr))) + (allow dbusd_type usr_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type bin_t process utype) + (typetransition dbusd_type usr_t process utype) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (dir (ioctl read getattr lock open search))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type shell_exec_t process utype) + (allow dbusd_type utype (process (sigkill))) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open))) + (allow dbusd_type file_type (service (start stop status reload enable disable))) + (dontaudit dbusd_type self (capability (net_admin))) + (allow utype system_dbusd_t (dbus (send_msg))) + (allow utype self (dbus (send_msg))) + (allow system_dbusd_t utype (dbus (send_msg))) + (allow dbusd_unconfined utype (dbus (send_msg))) + (allow utype system_dbusd_var_lib_t (dir (getattr open search))) + (allow utype system_dbusd_var_lib_t (file (ioctl read getattr lock open))) + (allow utype system_dbusd_var_lib_t (dir (getattr open search))) + (allow utype system_dbusd_var_lib_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype system_dbusd_var_run_t (dir (getattr open search))) + (allow utype system_dbusd_var_run_t (sock_file (write getattr append open))) + (allow utype system_dbusd_t (unix_stream_socket (connectto))) + (allow utype dbusd_etc_t (dir (ioctl read getattr lock open search))) + (allow utype dbusd_etc_t (file (ioctl read getattr lock open))) + (allow utype session_dbusd_tmp_t (dir (getattr open search))) + (allow utype session_dbusd_tmp_t (sock_file (write getattr append open))) + (allow utype utype (dbus (send_msg))) + (booleanif (deny_ptrace) + (false + (allow utype dbusd_type (process (ptrace))) + ) + ) + (optional confinedom_graphical_login_optional_6 + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require mozilla_exec_t) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (mozilla_exec_t )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (mozilla_exec_t )) + (allow utype mozilla_exec_t (file (entrypoint))) + (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type mozilla_exec_t process utype) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append))) + (allow utype dbusd_type (process (sigchld))) + ) + (optional confinedom_graphical_login_optional_7 + (typeattributeset cil_gen_require systemd_unit_file_t) + (allow dbusd_type systemd_unit_file_t (service (start))) + ) + (optional confinedom_graphical_login_optional_8 + (typeattributeset cil_gen_require unconfined_service_t) + (allow utype unconfined_service_t (dbus (send_msg))) + (allow unconfined_service_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_9 + (typeattributeset cil_gen_require accountsd_t) + (allow utype accountsd_t (dbus (send_msg))) + (allow accountsd_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_10 + (typeattributeset cil_gen_require avahi_t) + (allow utype avahi_t (dbus (send_msg))) + (allow avahi_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_11 + (typeattributeset cil_gen_require bluetooth_t) + (allow utype bluetooth_t (dbus (send_msg))) + (allow bluetooth_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_12 + (typeattributeset cil_gen_require colord_t) + (allow utype colord_t (dbus (send_msg))) + (allow colord_t utype (dbus (send_msg))) + (allow colord_t utype (dir (ioctl read getattr lock open search))) + (allow colord_t utype (file (ioctl read getattr lock open))) + (allow colord_t utype (lnk_file (read getattr))) + (allow colord_t utype (process (getattr))) + ) + (optional confinedom_graphical_login_optional_13 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require consolekit_t) + (typeattributeset cil_gen_require consolekit_log_t) + (typeattributeset cil_gen_require var_log_t) + (allow utype consolekit_t (dbus (send_msg))) + (allow consolekit_t utype (dbus (send_msg))) + (allow utype consolekit_log_t (dir (getattr open search))) + (allow utype consolekit_log_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (getattr open search))) + ) + (optional confinedom_graphical_login_optional_14 + (typeattributeset cil_gen_require devicekit_t) + (typeattributeset cil_gen_require devicekit_power_t) + (typeattributeset cil_gen_require devicekit_disk_t) + (allow utype devicekit_t (dbus (send_msg))) + (allow devicekit_t utype (dbus (send_msg))) + (allow utype devicekit_power_t (dbus (send_msg))) + (allow devicekit_power_t utype (dbus (send_msg))) + (allow utype devicekit_disk_t (dbus (send_msg))) + (allow devicekit_disk_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_15 + (typeattributeset cil_gen_require evolution_t) + (typeattributeset cil_gen_require evolution_alarm_t) + (allow utype evolution_t (dbus (send_msg))) + (allow evolution_t utype (dbus (send_msg))) + (allow utype evolution_alarm_t (dbus (send_msg))) + (allow evolution_alarm_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_16 + (typeattributeset cil_gen_require firewalld_t) + (allow utype firewalld_t (dbus (send_msg))) + (allow firewalld_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_17 + (typeattributeset cil_gen_require geoclue_t) + (allow utype geoclue_t (dbus (send_msg))) + (allow geoclue_t utype (dbus (send_msg))) + (allow geoclue_t utype (dir (ioctl read getattr lock open search))) + (allow geoclue_t utype (file (ioctl read getattr lock open))) + (allow geoclue_t utype (lnk_file (read getattr))) + (allow geoclue_t utype (process (getattr))) + ) + (optional confinedom_graphical_login_optional_18 + (typeattributeset cil_gen_require gconfdefaultsm_t) + (allow utype gconfdefaultsm_t (dbus (send_msg))) + (allow gconfdefaultsm_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_19 + (typeattributeset cil_gen_require fprintd_t) + (allow utype fprintd_t (dbus (send_msg))) + (allow fprintd_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_20 + (typeattributeset cil_gen_require fwupd_t) + (allow utype fwupd_t (dbus (send_msg))) + (allow fwupd_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_21 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require hwloc_dhwd_exec_t) + (typeattributeset cil_gen_require hwloc_var_run_t) + (allow utype hwloc_dhwd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype hwloc_var_run_t (dir (getattr open search))) + (allow utype hwloc_var_run_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_graphical_login_optional_22 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require memcached_t) + (typeattributeset cil_gen_require memcached_var_run_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype memcached_var_run_t (dir (getattr open search))) + (allow utype memcached_var_run_t (sock_file (write getattr append open))) + (allow utype memcached_t (unix_stream_socket (connectto))) + ) + (optional confinedom_graphical_login_optional_23 + (typeattributeset cil_gen_require modemmanager_t) + (allow utype modemmanager_t (dbus (send_msg))) + (allow modemmanager_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_24 + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require NetworkManager_t) + (typeattributeset cil_gen_require NetworkManager_var_lib_t) + (allow utype NetworkManager_t (dbus (send_msg))) + (allow NetworkManager_t utype (dbus (send_msg))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype NetworkManager_var_lib_t (dir (getattr open search))) + (allow utype NetworkManager_var_lib_t (dir (ioctl read getattr lock open search))) + (allow utype NetworkManager_var_lib_t (dir (getattr open search))) + (allow utype NetworkManager_var_lib_t (file (ioctl read getattr lock open))) + (allow utype NetworkManager_var_lib_t (file (map))) + ) + (optional confinedom_graphical_login_optional_25 + (typeattributeset cil_gen_require policykit_t) + (allow policykit_t utype (dir (ioctl read getattr lock open search))) + (allow policykit_t utype (file (ioctl read getattr lock open))) + (allow policykit_t utype (lnk_file (read getattr))) + (allow policykit_t utype (process (getattr))) + (allow utype policykit_t (dbus (send_msg))) + (allow policykit_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_26 + (typeattributeset cil_gen_require rpm_t) + (allow utype rpm_t (dbus (send_msg))) + (allow rpm_t utype (dbus (send_msg))) + ) + (optional confinedom_graphical_login_optional_27 + (typeattributeset cil_gen_require vpnc_t) + (allow utype vpnc_t (dbus (send_msg))) + (allow vpnc_t utype (dbus (send_msg))) + ) + ) + (optional confinedom_graphical_login_optional_28 + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require rpm_var_lib_t) + (typeattributeset cil_gen_require rpm_var_cache_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype rpm_var_lib_t (dir (ioctl read getattr lock open search))) + (allow utype rpm_var_lib_t (dir (getattr open search))) + (allow utype rpm_var_lib_t (file (ioctl read getattr lock open))) + (allow utype rpm_var_lib_t (dir (getattr open search))) + (allow utype rpm_var_lib_t (lnk_file (read getattr))) + (allow utype rpm_var_lib_t (file (map))) + (allow utype var_t (dir (getattr open search))) + (allow utype rpm_var_cache_t (dir (ioctl read getattr lock open search))) + (allow utype rpm_var_cache_t (dir (getattr open search))) + (allow utype rpm_var_cache_t (file (ioctl read getattr lock open))) + (allow utype rpm_var_cache_t (dir (getattr open search))) + (allow utype rpm_var_cache_t (lnk_file (read getattr))) + ) + (optional confinedom_graphical_login_optional_29 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require systemd_logind_t) + (typeattributeset cil_gen_require systemd_timedated_t) + (typeattributeset cil_gen_require systemd_hostnamed_t) + (typeattributeset cil_gen_require systemd_localed_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_script_file_type) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_logind_sessions_t) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require systemd_machined_var_run_t) + (typeattributeset cil_gen_require systemd_logind_inhibit_var_run_t) + (allow utype systemd_logind_t (dbus (send_msg))) + (allow systemd_logind_t utype (dbus (send_msg))) + (allow systemd_logind_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_logind_t utype (file (ioctl read getattr lock open))) + (allow systemd_logind_t utype (lnk_file (read getattr))) + (allow systemd_logind_t utype (process (getattr))) + (allow systemd_logind_t utype (process (signal))) + (allow utype systemd_logind_t (fd (use))) + (allow utype systemd_timedated_t (dbus (send_msg))) + (allow systemd_timedated_t utype (dbus (send_msg))) + (allow systemd_timedated_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_timedated_t utype (file (ioctl read getattr lock open))) + (allow systemd_timedated_t utype (lnk_file (read getattr))) + (allow systemd_timedated_t utype (process (getattr))) + (allow utype systemd_hostnamed_t (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open))) + (allow systemd_hostnamed_t utype (lnk_file (read getattr))) + (allow systemd_hostnamed_t utype (process (getattr))) + (allow utype systemd_localed_t (dbus (send_msg))) + (allow systemd_localed_t utype (dbus (send_msg))) + (allow systemd_localed_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_localed_t utype (file (ioctl read getattr lock open))) + (allow systemd_localed_t utype (lnk_file (read getattr))) + (allow systemd_localed_t utype (process (getattr))) + (allow utype systemd_unit_file_type (service (start stop status reload enable disable))) + (allow utype init_script_file_type (service (start stop status reload enable disable))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr watch))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_sessions_t (dir (getattr watch))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_machined_var_run_t (dir (getattr watch))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_sessions_t (dir (ioctl read getattr lock open search))) + (allow utype systemd_logind_sessions_t (dir (getattr open search))) + (allow utype systemd_logind_sessions_t (file (ioctl read getattr lock open))) + (allow utype systemd_logind_inhibit_var_run_t (fifo_file (write))) + ) + (optional confinedom_graphical_login_optional_30 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require cupsd_t) + (typeattributeset cil_gen_require cupsd_var_run_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype cupsd_var_run_t (dir (getattr open search))) + (allow utype cupsd_var_run_t (sock_file (write getattr append open))) + (allow utype cupsd_t (unix_stream_socket (connectto))) + (allow utype cupsd_var_run_t (sock_file (read getattr open))) + ) + (optional confinedom_graphical_login_optional_31 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require mount_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require fusermount_exec_t) + (typeattributeset cil_gen_require fsadm_t) + (typeattributeset cil_gen_require fsadm_exec_t) + (typeattributeset cil_gen_require mount_var_run_t) + (roleattributeset cil_gen_require urole) + (roletype urole mount_t) + (roletype urole fsadm_t) + (allow utype fusermount_exec_t (file (ioctl read getattr map execute open))) + (allow utype mount_t (process (transition))) + (typetransition utype fusermount_exec_t process mount_t) + (allow mount_t utype (fd (use))) + (allow mount_t utype (fifo_file (ioctl read write getattr lock append))) + (allow mount_t utype (process (sigchld))) + (allow mount_t utype (dir (ioctl read getattr lock open search))) + (allow mount_t utype (file (ioctl read getattr lock open))) + (allow mount_t utype (lnk_file (read getattr))) + (allow mount_t utype (process (getattr))) + (allow mount_t utype (unix_stream_socket (read write))) + (allow utype mount_t (fd (use))) + (allow mount_t bin_t (dir (getattr open search))) + (allow mount_t bin_t (lnk_file (read getattr))) + (allow mount_t bin_t (dir (getattr open search))) + (allow mount_t bin_t (dir (getattr open search))) + (allow mount_t fsadm_exec_t (file (ioctl read getattr map execute open))) + (allow mount_t fsadm_t (process (transition))) + (typetransition mount_t fsadm_exec_t process fsadm_t) + (allow fsadm_t mount_t (fd (use))) + (allow fsadm_t mount_t (fifo_file (ioctl read write getattr lock append))) + (allow fsadm_t mount_t (process (sigchld))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (file (ioctl read getattr lock open))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + ) + (optional confinedom_graphical_login_optional_32 + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require pulseaudio_tmpfsfile) + (typeattributeset cil_gen_require pulseaudio_t) + (typeattributeset cil_gen_require pulseaudio_exec_t) + (typeattributeset cil_gen_require pulseaudio_tmpfs_t) + (typeattributeset cil_gen_require user_tmp_type) + (typeattributeset cil_gen_require pulseaudio_home_t) + (roleattributeset cil_gen_require urole) + (roletype urole user_tmp_t) + (roletype urole pulseaudio_t) + (allow utype pulseaudio_exec_t (file (ioctl read getattr map execute open))) + (allow utype pulseaudio_t (process (transition))) + (typetransition utype pulseaudio_exec_t process pulseaudio_t) + (allow pulseaudio_t utype (fd (use))) + (allow pulseaudio_t utype (fifo_file (ioctl read write getattr lock append))) + (allow pulseaudio_t utype (process (sigchld))) + (allow utype pulseaudio_t (dir (ioctl read getattr lock open search))) + (allow utype pulseaudio_t (file (ioctl read getattr lock open))) + (allow utype pulseaudio_t (lnk_file (read getattr))) + (allow utype pulseaudio_t (process (getattr))) + (allow pulseaudio_t utype (process (signull signal))) + (allow utype pulseaudio_t (process (sigkill signull signal))) + (allow utype pulseaudio_t (process2 (nnp_transition))) + (allow pulseaudio_t utype (dir (ioctl read getattr lock open search))) + (allow pulseaudio_t utype (file (ioctl read getattr lock open))) + (allow pulseaudio_t utype (lnk_file (read getattr))) + (allow pulseaudio_t utype (process (getattr))) + (allow pulseaudio_t utype (unix_stream_socket (connectto))) + (allow utype pulseaudio_t (unix_stream_socket (connectto))) + (allow utype pulseaudio_tmpfsfile (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype pulseaudio_tmpfs_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype pulseaudio_tmpfsfile (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype pulseaudio_tmpfs_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (typemember pulseaudio_t tmp_t dir user_tmp_t) + (allow pulseaudio_t user_tmp_type (dir (mounton))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow pulseaudio_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow pulseaudio_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow pulseaudio_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition pulseaudio_t tmp_t fifo_file user_tmp_t) + (typetransition pulseaudio_t tmp_t sock_file user_tmp_t) + (typetransition pulseaudio_t tmp_t lnk_file user_tmp_t) + (typetransition pulseaudio_t tmp_t dir user_tmp_t) + (typetransition pulseaudio_t tmp_t file user_tmp_t) + (allow user_tmp_t tmpfs_t (filesystem (associate))) + (allow pulseaudio_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition pulseaudio_t tmpfs_t fifo_file user_tmp_t) + (typetransition pulseaudio_t tmpfs_t sock_file user_tmp_t) + (typetransition pulseaudio_t tmpfs_t lnk_file user_tmp_t) + (typetransition pulseaudio_t tmpfs_t dir user_tmp_t) + (typetransition pulseaudio_t tmpfs_t file user_tmp_t) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (dir (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (lnk_file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (sock_file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (dir (getattr open search))) + (allow pulseaudio_t user_tmp_type (fifo_file (getattr relabelfrom relabelto))) + (allow pulseaudio_t user_tmp_type (file (map))) + (allow utype pulseaudio_t (dbus (send_msg))) + (allow pulseaudio_t utype (dbus (acquire_svc send_msg))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype user_home_dir_t file ".esd_auth" pulseaudio_home_t) + (typetransition utype user_home_dir_t file ".pulse-cookie" pulseaudio_home_t) + (typetransition utype user_home_dir_t dir ".pulse" pulseaudio_home_t) + (optional confinedom_graphical_login_optional_33 + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require config_home_t) + (allow utype config_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype config_home_t dir "pulse" pulseaudio_home_t) + ) + ) + (optional confinedom_graphical_login_optional_34 + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require vdagent_log_t) + (typeattributeset cil_gen_require vdagent_var_run_t) + (typeattributeset cil_gen_require vdagent_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype vdagent_log_t (file (getattr))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype vdagent_var_run_t (dir (getattr open search))) + (allow utype vdagent_var_run_t (sock_file (write getattr append open))) + (allow utype vdagent_t (unix_stream_socket (connectto))) + ) + (optional confinedom_graphical_login_optional_35 + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require rtkit_daemon_t) + (allow rtkit_daemon_t utype (process (getsched setsched))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_t (dir (getattr open search))) + (allow rtkit_daemon_t utype (dir (ioctl read getattr lock open search))) + (allow rtkit_daemon_t utype (file (ioctl read getattr lock open))) + (allow rtkit_daemon_t utype (lnk_file (read getattr))) + (allow rtkit_daemon_t utype (process (getattr))) + (optional confinedom_graphical_login_optional_36 + (typeattributeset cil_gen_require rtkit_daemon_t) + (allow utype rtkit_daemon_t (dbus (send_msg))) + (allow rtkit_daemon_t utype (dbus (send_msg))) + ) + ) + ) +) + +(macro confinedom_mozilla_usage_macro ((type utype) (role urole)) + (optional confinedom_mozilla_usage_optional + (roleattributeset cil_gen_require mozilla_roles) + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require mozilla_t) + (typeattributeset cil_gen_require mozilla_exec_t) + (typeattributeset cil_gen_require mozilla_home_t) + (typeattributeset cil_gen_require mozilla_tmpfs_t) + (typeattributeset cil_gen_require utype) + (optional confinedom_mozilla_usage_optional_3 + (roleattributeset cil_gen_require mozilla_plugin_roles) + (roleattributeset cil_gen_require mozilla_plugin_config_roles) + (typeattributeset cil_gen_require mozilla_t) + (typeattributeset cil_gen_require mozilla_home_t) + (typeattributeset cil_gen_require mozilla_plugin_t) + (typeattributeset cil_gen_require mozilla_plugin_exec_t) + (typeattributeset cil_gen_require mozilla_plugin_config_t) + (typeattributeset cil_gen_require mozilla_plugin_config_exec_t) + (typeattributeset cil_gen_require mozilla_plugin_rw_t) + (typeattributeset cil_gen_require lib_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (roleattributeset cil_gen_require mozilla_plugin_config_roles) + (roleattributeset mozilla_plugin_config_roles (urole )) + (roleattributeset cil_gen_require mozilla_plugin_roles) + (roleattributeset mozilla_plugin_roles (urole )) + (allow utype mozilla_t (process (noatsecure siginh rlimitinh))) + (allow utype mozilla_t (dir (ioctl read getattr lock open search))) + (allow utype mozilla_t (file (ioctl read getattr lock open))) + (allow utype mozilla_t (lnk_file (read getattr))) + (allow utype mozilla_t (process (getattr))) + (allow utype mozilla_t (process (sigchld sigkill sigstop signull signal))) + (allow utype mozilla_t (fd (use))) + (allow utype mozilla_t (shm (getattr associate))) + (allow utype mozilla_t (shm (unix_read unix_write))) + (allow utype mozilla_t (unix_stream_socket (connectto))) + (allow utype mozilla_plugin_exec_t (file (ioctl read getattr map execute open))) + (allow utype mozilla_plugin_t (process (transition))) + (typetransition utype mozilla_plugin_exec_t process mozilla_plugin_t) + (allow mozilla_plugin_t utype (fd (use))) + (allow mozilla_plugin_t utype (fifo_file (ioctl read write getattr lock append))) + (allow mozilla_plugin_t utype (process (sigchld))) + (allow utype mozilla_plugin_config_exec_t (file (ioctl read getattr map execute open))) + (allow utype mozilla_plugin_config_t (process (transition))) + (typetransition utype mozilla_plugin_config_exec_t process mozilla_plugin_config_t) + (allow mozilla_plugin_config_t utype (fd (use))) + (allow mozilla_plugin_config_t utype (fifo_file (ioctl read write getattr lock append))) + (allow mozilla_plugin_config_t utype (process (sigchld))) + (allow mozilla_plugin_t utype (process (signull))) + (dontaudit mozilla_plugin_config_t utype (file (ioctl read getattr lock))) + (dontaudit mozilla_plugin_t utype (process (signal))) + (allow utype mozilla_plugin_t (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown connectto))) + (allow utype mozilla_plugin_t (fd (use))) + (allow mozilla_plugin_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown))) + (allow mozilla_plugin_t utype (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown sendto))) + (allow mozilla_plugin_t utype (shm (destroy getattr read write associate unix_read unix_write lock))) + (allow mozilla_plugin_t utype (sem (create destroy getattr setattr read write associate unix_read unix_write))) + (allow utype mozilla_plugin_t (sem (getattr read write associate unix_read unix_write))) + (allow utype mozilla_plugin_t (shm (getattr read write associate unix_read unix_write lock))) + (allow utype mozilla_plugin_t (fifo_file (ioctl read write getattr lock append open))) + (allow utype mozilla_plugin_t (dir (ioctl read getattr lock open search))) + (allow utype mozilla_plugin_t (file (ioctl read getattr lock open))) + (allow utype mozilla_plugin_t (lnk_file (read getattr))) + (allow utype mozilla_plugin_t (process (getattr))) + (allow mozilla_plugin_t utype (dir (ioctl read getattr lock open search))) + (allow mozilla_plugin_t utype (file (ioctl read getattr lock open))) + (allow mozilla_plugin_t utype (lnk_file (read getattr))) + (allow mozilla_plugin_t utype (process (getattr))) + (allow utype mozilla_plugin_t (process (sigchld sigkill sigstop signull signal noatsecure))) + (allow utype mozilla_plugin_rw_t (dir (getattr open search))) + (allow utype mozilla_plugin_rw_t (dir (ioctl read getattr lock open search))) + (allow utype mozilla_plugin_rw_t (dir (getattr open search))) + (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock open))) + (allow utype mozilla_plugin_rw_t (dir (getattr open search))) + (allow utype mozilla_plugin_rw_t (lnk_file (read getattr))) + (allow utype mozilla_plugin_rw_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype mozilla_plugin_t (dbus (send_msg))) + (allow mozilla_plugin_t utype (dbus (send_msg))) + (allow mozilla_plugin_t utype (process (signull))) + (allow utype mozilla_t (dbus (send_msg))) + (allow mozilla_t utype (dbus (send_msg))) + (allow utype mozilla_plugin_rw_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype user_home_dir_t dir ".webex" mozilla_home_t) + (typetransition utype user_home_dir_t file "mozilla.pdf" mozilla_home_t) + (typetransition utype user_home_dir_t file ".gnashpluginrc" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".IBMERS" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".lyx" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".juniper_networks" mozilla_home_t) + (typetransition utype user_home_dir_t dir "zimbrauserdata" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".ICAClient" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".spicec" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".quakelive" mozilla_home_t) + (typetransition utype user_home_dir_t file "abc" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".icedtea" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".icedteaplugin" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".gcjwebplugin" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".grl-podcasts" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".gnash" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".macromedia" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".adobe" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".phoenix" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".netscape" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".thunderbird" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".mozilla" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".java" mozilla_home_t) + (typetransition utype user_home_dir_t dir ".galeon" mozilla_home_t) + (typetransition utype mozilla_plugin_rw_t file "nswrapper_32_64.nppdf.so" lib_t) + (booleanif (deny_ptrace) + (false + (allow utype mozilla_plugin_t (process (ptrace))) + ) + ) + (optional confinedom_mozilla_usage_optional_4 + (roleattributeset cil_gen_require lpr_roles) + (typeattributeset cil_gen_require lpr_t) + (typeattributeset cil_gen_require lpr_exec_t) + (roleattributeset cil_gen_require lpr_roles) + (roleattributeset lpr_roles (urole )) + (allow mozilla_plugin_t lpr_exec_t (file (ioctl read getattr map execute open))) + (allow mozilla_plugin_t lpr_t (process (transition))) + (typetransition mozilla_plugin_t lpr_exec_t process lpr_t) + (allow lpr_t mozilla_plugin_t (fd (use))) + (allow lpr_t mozilla_plugin_t (fifo_file (ioctl read write getattr lock append))) + (allow lpr_t mozilla_plugin_t (process (sigchld))) + ) + (optional confinedom_mozilla_usage_optional_5 + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require cache_home_t) + (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype cache_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typetransition utype cache_home_t dir "icedtea-web" mozilla_home_t) + (typetransition utype cache_home_t dir "mozilla" mozilla_home_t) + ) + ) + ) +) + +(macro confinedom_networking_macro ((type utype) (role urole)) + (optional confinedom_networking_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require ping_t) + (typeattributeset cil_gen_require ping_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require traceroute_t) + (typeattributeset cil_gen_require traceroute_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole ping_t) + (roletype urole traceroute_t) + (booleanif (selinuxuser_ping) + (true + (allow utype ping_t (process (sigkill signal))) + (allow ping_t utype (process (sigchld))) + (allow ping_t utype (fifo_file (ioctl read write getattr lock append))) + (allow ping_t utype (fd (use))) + (typetransition utype ping_exec_t process ping_t) + (allow utype ping_t (process (transition))) + (allow utype ping_exec_t (file (ioctl read getattr map execute open))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype traceroute_t (process (sigkill signal))) + (allow traceroute_t utype (process (sigchld))) + (allow traceroute_t utype (fifo_file (ioctl read write getattr lock append))) + (allow traceroute_t utype (fd (use))) + (typetransition utype traceroute_exec_t process traceroute_t) + (allow utype traceroute_t (process (transition))) + (allow utype traceroute_exec_t (file (ioctl read getattr map execute open))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + ) + ) + ) +) + +(macro confinedom_security_advanced_macro ((type utype) (role urole) (type sudo_type) (type userhelper_type)) + (optional confinedom_security_advanced_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require sudo_type) + (typeattributeset cil_gen_require auditd_log_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require auditd_etc_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require can_setenforce) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require secure_mode_policyload_t) + (typeattributeset cil_gen_require boolean_type) + (typeattributeset cil_gen_require can_setbool) + (typeattributeset cil_gen_require semanage_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require semanage_store_t) + (typeattributeset cil_gen_require selinux_login_config_t) + (typeattributeset cil_gen_require semanage_exec_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require setfiles_t) + (typeattributeset cil_gen_require setfiles_exec_t) + (typeattributeset cil_gen_require load_policy_t) + (typeattributeset cil_gen_require load_policy_exec_t) + (typeattributeset cil_gen_require newrole_t) + (typeattributeset cil_gen_require newrole_exec_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (roleattributeset cil_gen_require urole) + (roletype urole semanage_t) + (roletype urole setfiles_t) + (roletype urole load_policy_t) + (roletype urole newrole_t) + (roletype urole updpwd_t) + (typeattributeset cil_gen_require can_setbool) + (typeattributeset can_setbool (utype )) + (typeattributeset cil_gen_require can_setenforce) + (typeattributeset can_setenforce (utype )) + (allow utype var_t (dir (getattr open search))) + (allow utype auditd_log_t (dir (getattr open search))) + (allow utype auditd_log_t (file (ioctl read getattr lock open))) + (allow utype auditd_log_t (dir (getattr open search))) + (allow utype auditd_log_t (lnk_file (read getattr))) + (allow utype auditd_log_t (dir (ioctl read getattr lock open search))) + (allow utype etc_t (dir (getattr open search))) + (allow utype auditd_etc_t (dir (getattr open search))) + (allow utype auditd_etc_t (file (ioctl read getattr lock open))) + (allow utype auditd_etc_t (dir (ioctl read getattr lock open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype boolean_type (dir (ioctl read getattr lock open search))) + (allow utype boolean_type (file (ioctl read write getattr lock append open))) + (allow semanage_t utype (dir (ioctl read getattr lock open search))) + (allow semanage_t utype (file (ioctl read getattr lock open))) + (allow semanage_t utype (lnk_file (read getattr))) + (allow semanage_t utype (process (getattr))) + (allow utype semanage_t (dbus (send_msg))) + (allow semanage_t utype (dbus (send_msg))) + (allow utype etc_t (dir (getattr open search))) + (allow utype var_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype semanage_store_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype semanage_store_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype selinux_config_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype selinux_login_config_t (dir (ioctl read getattr lock open search))) + (allow utype selinux_login_config_t (dir (getattr open search))) + (allow utype selinux_login_config_t (file (ioctl read getattr lock open))) + (allow utype selinux_login_config_t (dir (getattr open search))) + (allow utype selinux_login_config_t (lnk_file (read getattr))) + (allow sudo_type usr_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type semanage_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type semanage_t (process (transition))) + (typetransition sudo_type semanage_exec_t process semanage_t) + (allow semanage_t sudo_type (fd (use))) + (allow semanage_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow semanage_t sudo_type (process (sigchld))) + (allow semanage_t usr_t (dir (getattr open search))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (lnk_file (read getattr))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t setfiles_exec_t (file (ioctl read getattr map execute open))) + (allow semanage_t setfiles_t (process (transition))) + (typetransition semanage_t setfiles_exec_t process setfiles_t) + (allow setfiles_t semanage_t (fd (use))) + (allow setfiles_t semanage_t (fifo_file (ioctl read write getattr lock append))) + (allow setfiles_t semanage_t (process (sigchld))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (lnk_file (read getattr))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t bin_t (dir (getattr open search))) + (allow semanage_t load_policy_exec_t (file (ioctl read getattr map execute open))) + (allow semanage_t load_policy_t (process (transition))) + (typetransition semanage_t load_policy_exec_t process load_policy_t) + (allow load_policy_t semanage_t (fd (use))) + (allow load_policy_t semanage_t (fifo_file (ioctl read write getattr lock append))) + (allow load_policy_t semanage_t (process (sigchld))) + (allow utype usr_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype newrole_exec_t (file (ioctl read getattr map execute open))) + (allow utype newrole_t (process (transition))) + (typetransition utype newrole_exec_t process newrole_t) + (allow newrole_t utype (fd (use))) + (allow newrole_t utype (fifo_file (ioctl read write getattr lock append))) + (allow newrole_t utype (process (sigchld))) + (allow newrole_t updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow newrole_t updpwd_t (process (transition))) + (typetransition newrole_t updpwd_exec_t process updpwd_t) + (allow updpwd_t newrole_t (fd (use))) + (allow updpwd_t newrole_t (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t newrole_t (process (sigchld))) + (dontaudit newrole_t shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type usr_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type setfiles_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type setfiles_t (process (transition))) + (typetransition sudo_type setfiles_exec_t process setfiles_t) + (allow setfiles_t sudo_type (fd (use))) + (allow setfiles_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow setfiles_t sudo_type (process (sigchld))) + (typetransition utype selinux_config_t dir "tmp" semanage_store_t) + (typetransition utype selinux_config_t dir "previous" semanage_store_t) + (typetransition utype selinux_config_t dir "active" semanage_store_t) + (typetransition utype selinux_config_t dir "modules" semanage_store_t) + (optional confinedom_security_advanced_optional_3 + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require setfiles_t) + (typeattributeset cil_gen_require setfiles_exec_t) + (typeattributeset cil_gen_require namespace_init_t) + (typeattributeset cil_gen_require namespace_init_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole setfiles_t) + (roletype urole namespace_init_t) + (allow newrole_t namespace_init_exec_t (file (ioctl read getattr map execute open))) + (allow newrole_t namespace_init_t (process (transition))) + (typetransition newrole_t namespace_init_exec_t process namespace_init_t) + (allow namespace_init_t newrole_t (fd (use))) + (allow namespace_init_t newrole_t (fifo_file (ioctl read write getattr lock append))) + (allow namespace_init_t newrole_t (process (sigchld))) + (allow namespace_init_t usr_t (dir (getattr open search))) + (allow namespace_init_t bin_t (dir (getattr open search))) + (allow namespace_init_t bin_t (lnk_file (read getattr))) + (allow namespace_init_t bin_t (dir (getattr open search))) + (allow namespace_init_t bin_t (dir (getattr open search))) + (allow namespace_init_t setfiles_exec_t (file (ioctl read getattr map execute open))) + (allow namespace_init_t setfiles_t (process (transition))) + (typetransition namespace_init_t setfiles_exec_t process setfiles_t) + (allow setfiles_t namespace_init_t (fd (use))) + (allow setfiles_t namespace_init_t (fifo_file (ioctl read write getattr lock append))) + (allow setfiles_t namespace_init_t (process (sigchld))) + ) + (optional confinedom_security_advanced_optional_4 + (roletype object_r userhelper_type) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require userhelper_type) + (typeattributeset cil_gen_require userhelper_exec_t) + (typeattributeset cil_gen_require userhelper_conf_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset cil_gen_require privfd) + (typeattributeset cil_gen_require can_change_process_identity) + (typeattributeset cil_gen_require sysctl_type) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require proc_net_t) + (typeattributeset cil_gen_require debugfs_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require urandom_device_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require etc_runtime_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require autofs_t) + (typeattributeset cil_gen_require nfs_t) + (typeattributeset cil_gen_require devpts_t) + (typeattributeset cil_gen_require ttynode) + (typeattributeset cil_gen_require ptynode) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require auth_cache_t) + (typeattributeset cil_gen_require random_device_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require faillog_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require cert_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pam_var_run_t) + (typeattributeset cil_gen_require var_auth_t) + (typeattributeset cil_gen_require pam_var_console_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require initrc_var_run_t) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require unpriv_userdomain) + (roleattributeset cil_gen_require urole) + (roletype urole userhelper_type) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (userhelper_type )) + (typeattributeset cil_gen_require can_change_process_identity) + (typeattributeset can_change_process_identity (userhelper_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (userhelper_type )) + (typeattributeset cil_gen_require privfd) + (typeattributeset privfd (userhelper_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (userhelper_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (userhelper_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (userhelper_exec_t )) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset can_change_object_identity (userhelper_type )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (userhelper_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (userhelper_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (userhelper_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (userhelper_type )) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset can_change_process_role (userhelper_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (userhelper_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (userhelper_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (userhelper_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (userhelper_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (userhelper_type )) + (typeattributeset cil_gen_require userhelper_type) + (allow userhelper_type userhelper_exec_t (file (entrypoint))) + (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open))) + (allow userhelper_type self (capability (chown dac_read_search setgid setuid net_bind_service sys_tty_config))) + (allow userhelper_type self (process (fork transition sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit))) + (allow userhelper_type self (process (setexec))) + (allow userhelper_type self (fd (use))) + (allow userhelper_type self (fifo_file (ioctl read write getattr lock append open))) + (allow userhelper_type self (shm (create destroy getattr setattr read write associate unix_read unix_write lock))) + (allow userhelper_type self (sem (create destroy getattr setattr read write associate unix_read unix_write))) + (allow userhelper_type self (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue))) + (allow userhelper_type self (msg (send receive))) + (allow userhelper_type self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown))) + (allow userhelper_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow userhelper_type self (unix_dgram_socket (sendto))) + (allow userhelper_type self (unix_stream_socket (connectto))) + (allow userhelper_type self (sock_file (read getattr open))) + (allow utype userhelper_exec_t (file (ioctl read getattr map execute open))) + (allow utype userhelper_type (process (transition))) + (typetransition utype userhelper_exec_t process userhelper_type) + (allow userhelper_type utype (fd (use))) + (allow userhelper_type utype (fifo_file (ioctl read write getattr lock append))) + (allow userhelper_type utype (process (sigchld))) + (allow userhelper_type userhelper_conf_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type userhelper_conf_t (dir (getattr open search))) + (allow userhelper_type userhelper_conf_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type userhelper_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (dontaudit utype userhelper_type (process (signal))) + (allow userhelper_type sysctl_type (dir (getattr open search))) + (allow userhelper_type proc_t (dir (getattr open search))) + (allow userhelper_type proc_net_t (dir (getattr open search))) + (allow userhelper_type sysctl_type (file (ioctl read getattr lock open))) + (allow userhelper_type proc_t (dir (getattr open search))) + (allow userhelper_type proc_net_t (dir (getattr open search))) + (allow userhelper_type sysctl_type (dir (ioctl read getattr lock open search))) + (allow userhelper_type debugfs_t (filesystem (getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow userhelper_type shell_exec_t (file (map))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) + (allow userhelper_type utype (process (transition))) + (allow userhelper_type usr_t (dir (getattr open search))) + (allow userhelper_type usr_t (lnk_file (read getattr))) + (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) + (allow userhelper_type utype (process (transition))) + (typetransition userhelper_type bin_t process utype) + (typetransition userhelper_type usr_t process utype) + (allow userhelper_type privfd (fd (use))) + (allow userhelper_type privfd (process (sigchld))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_lib_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type etc_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_t (file (ioctl read getattr lock open))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_t (lnk_file (read getattr))) + (allow userhelper_type etc_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_runtime_t (file (ioctl read getattr lock open))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type etc_runtime_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_t (file (ioctl read getattr lock open))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type home_root_t (dir (getattr open search))) + (allow userhelper_type home_root_t (lnk_file (read getattr))) + (allow userhelper_type autofs_t (dir (getattr open search))) + (allow userhelper_type autofs_t (dir (getattr open search))) + (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type nfs_t (dir (getattr open search))) + (allow userhelper_type nfs_t (file (ioctl read getattr lock open))) + (allow userhelper_type nfs_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type nfs_t (dir (getattr open search))) + (allow userhelper_type nfs_t (lnk_file (read getattr))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append map open))) + (allow userhelper_type security_t (security (check_context))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_av))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_create))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_relabel))) + (allow userhelper_type sysfs_t (filesystem (getattr))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type sysfs_t (dir (getattr open search))) + (allow userhelper_type security_t (lnk_file (read getattr))) + (allow userhelper_type security_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type security_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type security_t (security (compute_user))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type ttynode (chr_file (getattr relabelfrom relabelto))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type devpts_t (dir (getattr open search))) + (allow userhelper_type devpts_t (chr_file (getattr relabelfrom relabelto))) + (allow userhelper_type ptynode (chr_file (getattr relabelfrom relabelto))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type ttynode (chr_file (ioctl read write getattr lock append open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type device_t (lnk_file (read getattr))) + (allow userhelper_type devpts_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type ptynode (chr_file (ioctl read write getattr lock append open))) + (allow userhelper_type auth_cache_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type chkpwd_t (process (transition))) + (typetransition userhelper_type chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t userhelper_type (fd (use))) + (allow chkpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t userhelper_type (process (sigchld))) + (allow userhelper_type chkpwd_exec_t (file (map))) + (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type random_device_t (chr_file (ioctl read getattr lock open))) + (allow userhelper_type device_t (dir (getattr open search))) + (allow userhelper_type urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_log_t (dir (getattr open search))) + (allow userhelper_type faillog_t (dir (getattr open search))) + (allow userhelper_type faillog_t (file (ioctl read write getattr lock append open))) + (allow userhelper_type self (capability (audit_write))) + (allow userhelper_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) + (allow userhelper_type cert_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type cert_t (dir (getattr open search))) + (allow userhelper_type cert_t (file (ioctl read getattr lock open))) + (allow userhelper_type cert_t (dir (getattr open search))) + (allow userhelper_type cert_t (lnk_file (read getattr))) + (allow userhelper_type updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type updpwd_t (process (transition))) + (typetransition userhelper_type updpwd_exec_t process updpwd_t) + (allow updpwd_t userhelper_type (fd (use))) + (allow updpwd_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t userhelper_type (process (sigchld))) + (dontaudit userhelper_type shadow_t (file (ioctl read getattr lock open))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pam_var_run_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow userhelper_type pam_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_auth_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_auth_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow userhelper_type var_auth_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type var_auth_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pam_var_console_t (dir (getattr open search))) + (allow userhelper_type init_t (fd (use))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type initrc_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type selinux_config_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (file (ioctl read getattr lock open))) + (allow userhelper_type selinux_config_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (lnk_file (read getattr))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type selinux_config_t (dir (getattr open search))) + (allow userhelper_type default_context_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type default_context_t (dir (getattr open search))) + (allow userhelper_type default_context_t (file (ioctl read getattr lock open))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) + (allow userhelper_type unpriv_userdomain (process (transition))) + (allow userhelper_type usr_t (dir (getattr open search))) + (allow userhelper_type usr_t (lnk_file (read getattr))) + (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) + (allow userhelper_type unpriv_userdomain (process (transition))) + (allow unpriv_userdomain userhelper_type (fd (use))) + (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow unpriv_userdomain userhelper_type (process (sigchld))) + (allow userhelper_type entry_type (file (ioctl read getattr map execute open))) + (allow userhelper_type unpriv_userdomain (process (transition))) + (allow unpriv_userdomain userhelper_type (fd (use))) + (allow unpriv_userdomain userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow unpriv_userdomain userhelper_type (process (sigchld))) + (typetransition userhelper_type var_run_t file "utmp" initrc_var_run_t) + (typetransition userhelper_type var_run_t dir "sudo" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "sepermit" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "pam_timestamp" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "pam_ssh" pam_var_run_t) + (typetransition userhelper_type var_run_t dir "pam_mount" pam_var_run_t) + (optional confinedom_security_advanced_optional_5 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_keytab_t) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type krb5_keytab_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type krb5_keytab_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_security_advanced_optional_6 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require pcscd_var_run_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pcscd_t) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (file (ioctl read getattr lock open))) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (dir (getattr open search))) + (allow userhelper_type pcscd_var_run_t (sock_file (write getattr append open))) + (allow userhelper_type pcscd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_security_advanced_optional_7 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require samba_var_t) + (typeattributeset cil_gen_require winbind_t) + (typeattributeset cil_gen_require winbind_var_run_t) + (typeattributeset cil_gen_require smbd_var_run_t) + (typeattributeset cil_gen_require samba_etc_t) + (allow userhelper_type var_t (lnk_file (read getattr))) + (allow userhelper_type var_run_t (lnk_file (read getattr))) + (allow userhelper_type var_t (dir (getattr open search))) + (allow userhelper_type var_run_t (dir (getattr open search))) + (allow userhelper_type smbd_var_run_t (dir (getattr open search))) + (allow userhelper_type samba_var_t (dir (getattr open search))) + (allow userhelper_type winbind_var_run_t (dir (getattr open search))) + (allow userhelper_type winbind_var_run_t (sock_file (write getattr append open))) + (allow userhelper_type winbind_t (unix_stream_socket (connectto))) + (allow userhelper_type etc_t (dir (getattr open search))) + (allow userhelper_type samba_etc_t (dir (getattr open search))) + (allow userhelper_type samba_etc_t (dir (ioctl read getattr lock open search))) + (allow userhelper_type samba_etc_t (dir (getattr open search))) + (allow userhelper_type samba_etc_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_security_advanced_optional_8 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require rpm_t) + (typeattributeset cil_gen_require rpm_exec_t) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset cil_gen_require debuginfo_exec_t) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset rpm_transition_domain (userhelper_type )) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type rpm_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type rpm_t (process (transition))) + (typetransition userhelper_type rpm_exec_t process rpm_t) + (allow rpm_t userhelper_type (fd (use))) + (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t userhelper_type (process (sigchld))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type bin_t (dir (getattr open search))) + (allow userhelper_type debuginfo_exec_t (file (ioctl read getattr map execute open))) + (allow userhelper_type rpm_t (process (transition))) + (typetransition userhelper_type debuginfo_exec_t process rpm_t) + (allow rpm_t userhelper_type (fd (use))) + (allow rpm_t userhelper_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t userhelper_type (process (sigchld))) + (allow userhelper_type debuginfo_exec_t (dir (getattr open search))) + (allow userhelper_type debuginfo_exec_t (lnk_file (read getattr))) + ) + (optional confinedom_security_advanced_optional_9 + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require sysadm_t) + (booleanif (secure_mode) + (false + (allow sysadm_t userhelper_type (process (sigchld))) + (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow sysadm_t userhelper_type (fd (use))) + (allow userhelper_type sysadm_t (process (transition))) + (allow userhelper_type entry_type (file (ioctl read getattr map execute open))) + (allow sysadm_t userhelper_type (process (sigchld))) + (allow sysadm_t userhelper_type (fifo_file (ioctl read write getattr lock append open))) + (allow sysadm_t userhelper_type (fd (use))) + (allow userhelper_type sysadm_t (process (transition))) + (allow userhelper_type usr_t (file (ioctl read getattr map execute open))) + (allow userhelper_type usr_t (lnk_file (read getattr))) + (allow userhelper_type usr_t (dir (getattr open search))) + (allow userhelper_type sysadm_t (process (transition))) + (allow userhelper_type bin_t (file (ioctl read getattr map execute open))) + (allow userhelper_type bin_t (lnk_file (read getattr))) + (allow userhelper_type bin_t (dir (getattr open search))) + ) + ) + ) + ) + ) +) + +(macro confinedom_security_basic_macro ((type utype) (role urole)) + (optional confinedom_security_basic_optional_2 + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require can_load_policy) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require can_load_policy) + (typeattributeset can_load_policy (utype )) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read getattr lock open))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (security (read_policy))) + ) +) + +(macro confinedom_sudo_macro ((type utype) (role urole) (type sudo_type) (type sudo_tmp_type)) + (optional confinedom_sudo_optional + ;(type sudo_type) + (roletype object_r sudo_type) + ;(type sudo_tmp_type) + (roletype object_r sudo_tmp_type) + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require sudo_type) + (typeattributeset cil_gen_require kernel_t) + (typeattributeset cil_gen_require sudo_exec_t) + (typeattributeset cil_gen_require sudo_db_t) + (typeattributeset cil_gen_require sudodomain) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require privfd) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require tmpfile) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require polymember) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require auth_cache_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require random_device_t) + (typeattributeset cil_gen_require urandom_device_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require faillog_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require cert_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require syslogd_var_run_t) + (typeattributeset cil_gen_require devpts_t) + (typeattributeset cil_gen_require sshd_devpts_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_script_file_type) + (roleattributeset cil_gen_require urole) + (roletype urole sudo_type) + (roletype urole chkpwd_t) + (roletype urole updpwd_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (sudo_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (sudo_type )) + (typeattributeset cil_gen_require privfd) + (typeattributeset privfd (sudo_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (sudo_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (sudo_exec_t sudo_tmp_type )) + (typeattributeset cil_gen_require tmpfile) + (typeattributeset tmpfile (sudo_tmp_type )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (sudo_exec_t sudo_tmp_type )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (sudo_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (sudo_type )) + (typeattributeset cil_gen_require polymember) + (typeattributeset polymember (sudo_tmp_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (sudo_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (sudo_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (sudo_type )) + (typeattributeset cil_gen_require can_change_process_role) + (typeattributeset can_change_process_role (sudo_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (sudo_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (sudo_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (sudo_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (sudo_exec_t sudo_tmp_type )) + (typeattributeset cil_gen_require sudodomain) + (typeattributeset sudodomain (sudo_type )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (sudo_type )) + (allow sudo_type kernel_t (system (module_request))) + (allow sudo_type sudo_exec_t (file (entrypoint))) + (allow sudo_type sudo_exec_t (file (ioctl read getattr lock map execute open))) + (allow sudo_type sudo_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition sudo_type tmp_t file sudo_tmp_type) + (allow sudo_type utype (dir (getattr open search))) + (allow sudo_type utype (file (ioctl read getattr lock open))) + (allow sudo_type utype (key (search))) + (allow sudo_type utype (unix_stream_socket (read write connectto))) + (allow utype sudo_exec_t (file (ioctl read getattr map execute open))) + (allow utype sudo_type (process (transition))) + (typetransition utype sudo_exec_t process sudo_type) + (allow sudo_type utype (fd (use))) + (allow sudo_type utype (fifo_file (ioctl read write getattr lock append))) + (allow sudo_type utype (process (sigchld))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (ioctl read getattr lock open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type shell_exec_t process utype) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (allow sudo_type usr_t (dir (getattr open search))) + (allow sudo_type usr_t (lnk_file (read getattr))) + (allow sudo_type usr_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type bin_t process utype) + (typetransition sudo_type usr_t process utype) + (allow sudo_type user_home_t (dir (getattr open search))) + (allow sudo_type user_home_t (lnk_file (read getattr))) + (allow sudo_type user_home_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type user_home_t process utype) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type user_tmp_t (dir (getattr open search))) + (allow sudo_type user_tmp_t (lnk_file (read getattr))) + (allow sudo_type user_tmp_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type user_tmp_t process utype) + (allow utype sudo_exec_t (file (entrypoint))) + (allow utype sudo_exec_t (file (ioctl read getattr lock map execute open))) + (allow sudo_type sudo_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type sudo_exec_t process utype) + (allow utype sudo_type (fd (use))) + (allow utype sudo_type (fifo_file (ioctl read write getattr lock append open))) + (allow utype sudo_type (process (sigchld sigkill sigstop signull signal))) + (allow sudo_type security_t (lnk_file (read getattr))) + (allow sudo_type sysfs_t (filesystem (getattr))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type security_t (filesystem (getattr))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (dir (ioctl read getattr lock open search))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (file (ioctl read getattr lock open))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (lnk_file (read getattr))) + (allow sudo_type auth_cache_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type chkpwd_t (process (transition))) + (typetransition sudo_type chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t sudo_type (fd (use))) + (allow chkpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t sudo_type (process (sigchld))) + (allow sudo_type chkpwd_exec_t (file (map))) + (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type random_device_t (chr_file (ioctl read getattr lock open))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_log_t (dir (getattr open search))) + (allow sudo_type faillog_t (dir (getattr open search))) + (allow sudo_type faillog_t (file (ioctl read write getattr lock append open))) + (allow sudo_type self (capability (audit_write))) + (allow sudo_type self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) + (allow sudo_type cert_t (dir (ioctl read getattr lock open search))) + (allow sudo_type cert_t (dir (getattr open search))) + (allow sudo_type cert_t (file (ioctl read getattr lock open))) + (allow sudo_type cert_t (dir (getattr open search))) + (allow sudo_type cert_t (lnk_file (read getattr))) + (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type updpwd_t (process (transition))) + (typetransition sudo_type updpwd_exec_t process updpwd_t) + (allow updpwd_t sudo_type (fd (use))) + (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t sudo_type (process (sigchld))) + (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type updpwd_t (process (transition))) + (typetransition sudo_type updpwd_exec_t process updpwd_t) + (allow updpwd_t sudo_type (fd (use))) + (allow updpwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t sudo_type (process (sigchld))) + (dontaudit sudo_type shadow_t (file (ioctl read getattr lock open))) + (allow sudo_type syslogd_var_run_t (dir (getattr open search))) + (allow sudo_type syslogd_var_run_t (file (ioctl read getattr lock open map))) + (allow sudo_type syslogd_var_run_t (dir (getattr open search))) + (allow sudo_type syslogd_var_run_t (dir (ioctl read getattr lock open search))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type device_t (dir (ioctl read getattr lock open search))) + (allow sudo_type device_t (dir (getattr open search))) + (allow sudo_type device_t (lnk_file (read getattr))) + (allow sudo_type devpts_t (dir (ioctl read getattr lock open search))) + (allow sudo_type devpts_t (chr_file (ioctl read write getattr lock append open))) + (allow sudo_type devpts_t (chr_file (setattr))) + (allow sudo_type sshd_devpts_t (chr_file (ioctl read write getattr lock append))) + (allow sudo_type systemd_unit_file_type (service (start stop status reload enable disable))) + (allow sudo_type init_script_file_type (service (start stop status reload enable disable))) + (optional confinedom_sudo_optional_3 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_keytab_t) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type krb5_keytab_t (dir (ioctl read getattr lock open search))) + (allow sudo_type krb5_keytab_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_sudo_optional_4 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require pcscd_var_run_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pcscd_t) + (allow sudo_type var_t (lnk_file (read getattr))) + (allow sudo_type var_run_t (lnk_file (read getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (file (ioctl read getattr lock open))) + (allow sudo_type var_t (lnk_file (read getattr))) + (allow sudo_type var_run_t (lnk_file (read getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (dir (getattr open search))) + (allow sudo_type pcscd_var_run_t (sock_file (write getattr append open))) + (allow sudo_type pcscd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_sudo_optional_5 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require samba_var_t) + (typeattributeset cil_gen_require winbind_t) + (typeattributeset cil_gen_require winbind_var_run_t) + (typeattributeset cil_gen_require smbd_var_run_t) + (typeattributeset cil_gen_require samba_etc_t) + (allow sudo_type var_t (lnk_file (read getattr))) + (allow sudo_type var_run_t (lnk_file (read getattr))) + (allow sudo_type var_t (dir (getattr open search))) + (allow sudo_type var_run_t (dir (getattr open search))) + (allow sudo_type smbd_var_run_t (dir (getattr open search))) + (allow sudo_type samba_var_t (dir (getattr open search))) + (allow sudo_type winbind_var_run_t (dir (getattr open search))) + (allow sudo_type winbind_var_run_t (sock_file (write getattr append open))) + (allow sudo_type winbind_t (unix_stream_socket (connectto))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type samba_etc_t (dir (getattr open search))) + (allow sudo_type samba_etc_t (dir (ioctl read getattr lock open search))) + (allow sudo_type samba_etc_t (dir (getattr open search))) + (allow sudo_type samba_etc_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_sudo_optional_6 + (typeattributeset cil_gen_require mta_user_agent) + (typeattributeset cil_gen_require user_mail_t) + (typeattributeset cil_gen_require sendmail_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole mta_user_agent) + (roletype urole user_mail_t) + (allow sudo_type sendmail_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type user_mail_t (process (transition))) + (typetransition sudo_type sendmail_exec_t process user_mail_t) + (allow user_mail_t sudo_type (fd (use))) + (allow user_mail_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow user_mail_t sudo_type (process (sigchld))) + (allow sudo_type sendmail_exec_t (lnk_file (read getattr))) + (allow mta_user_agent sudo_type (fd (use))) + (allow mta_user_agent sudo_type (process (sigchld))) + (allow mta_user_agent sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow sudo_type user_mail_t (process (signal))) + (optional confinedom_sudo_optional_7 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require exim_t) + (typeattributeset cil_gen_require exim_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole exim_t) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type exim_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type exim_t (process (transition))) + (typetransition sudo_type exim_exec_t process exim_t) + (allow exim_t sudo_type (fd (use))) + (allow exim_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow exim_t sudo_type (process (sigchld))) + ) + (optional confinedom_sudo_optional_8 + (typeattributeset cil_gen_require mailman_mail_t) + (typeattributeset cil_gen_require mailman_mail_exec_t) + (roleattributeset cil_gen_require urole) + (roletype urole mailman_mail_t) + (allow mta_user_agent mailman_mail_exec_t (file (ioctl read getattr map execute open))) + (allow mta_user_agent mailman_mail_t (process (transition))) + (typetransition mta_user_agent mailman_mail_exec_t process mailman_mail_t) + (allow mailman_mail_t mta_user_agent (fd (use))) + (allow mailman_mail_t mta_user_agent (fifo_file (ioctl read write getattr lock append))) + (allow mailman_mail_t mta_user_agent (process (sigchld))) + ) + ) + (optional confinedom_sudo_optional_9 + (roleattributeset cil_gen_require rpm_script_roles) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require rpm_t) + (typeattributeset cil_gen_require rpm_script_t) + (typeattributeset cil_gen_require rpm_exec_t) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset cil_gen_require debuginfo_exec_t) + (typeattributeset cil_gen_require can_system_change) + (roleattributeset cil_gen_require rpm_script_roles) + (roleattributeset rpm_script_roles (urole )) + (typeattributeset cil_gen_require rpm_transition_domain) + (typeattributeset rpm_transition_domain (sudo_type )) + (typeattributeset cil_gen_require can_system_change) + (typeattributeset can_system_change (sudo_type )) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type rpm_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type rpm_t (process (transition))) + (typetransition sudo_type rpm_exec_t process rpm_t) + (allow rpm_t sudo_type (fd (use))) + (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t sudo_type (process (sigchld))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type debuginfo_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type rpm_t (process (transition))) + (typetransition sudo_type debuginfo_exec_t process rpm_t) + (allow rpm_t sudo_type (fd (use))) + (allow rpm_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow rpm_t sudo_type (process (sigchld))) + (allow sudo_type debuginfo_exec_t (dir (getattr open search))) + (allow sudo_type debuginfo_exec_t (lnk_file (read getattr))) + (allow sudo_type rpm_script_t (process (transition))) + (allow sudo_type rpm_script_t (fd (use))) + (allow rpm_script_t sudo_type (fd (use))) + (allow rpm_script_t sudo_type (fifo_file (ioctl read write getattr lock append open))) + (allow rpm_script_t sudo_type (process (sigchld))) + ) + (optional confinedom_sudo_optional_10 + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_host_rcache_t) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require file_context_t) + (typeattributeset cil_gen_require krb5_conf_t) + (typeattributeset cil_gen_require krb5_home_t) + (typeattributeset cil_gen_require can_change_object_identity) + (typeattributeset can_change_object_identity (sudo_type )) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type krb5_conf_t (file (ioctl read getattr lock open))) + (allow sudo_type krb5_home_t (file (ioctl read getattr lock open))) + (booleanif (kerberos_enabled) + (true + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type krb5_host_rcache_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow sudo_type krb5_host_rcache_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type file_context_t (file (map))) + (allow sudo_type file_context_t (lnk_file (read getattr))) + (allow sudo_type file_context_t (dir (getattr open search))) + (allow sudo_type file_context_t (file (ioctl read getattr lock open))) + (allow sudo_type file_context_t (dir (getattr open search))) + (allow sudo_type file_context_t (dir (ioctl read getattr lock open search))) + (allow sudo_type file_context_t (dir (getattr open search))) + (allow sudo_type selinux_config_t (dir (getattr open search))) + (allow sudo_type default_context_t (dir (getattr open search))) + (allow sudo_type etc_t (dir (getattr open search))) + (allow sudo_type security_t (security (check_context))) + (allow sudo_type security_t (file (ioctl read write getattr lock append map open))) + (allow sudo_type security_t (dir (ioctl read getattr lock open search))) + (allow sudo_type security_t (lnk_file (read getattr))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type sysfs_t (dir (getattr open search))) + (allow sudo_type sysfs_t (filesystem (getattr))) + (allow sudo_type self (process (setfscreate))) + ) + ) + ) + (optional confinedom_sudo_optional_11 + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (allow sudo_type systemd_systemctl_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type utype (process (transition))) + (typetransition sudo_type systemd_systemctl_exec_t process utype) + (allow utype systemd_systemctl_exec_t (file (entrypoint))) + ) + (optional confinedom_sudo_optional_12 + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (allow sudo_type user_tmp_t (sock_file (write getattr append open))) + (allow sudo_type tmpfs_t (dir (getattr open search))) + (allow sudo_type tmp_t (dir (getattr open search))) + (allow sudo_type tmp_t (lnk_file (read getattr))) + (allow sudo_type tmp_t (dir (getattr open search))) + (optional confinedom_sudo_optional_13 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require passwd_t) + (typeattributeset cil_gen_require passwd_exec_t) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (lnk_file (read getattr))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type bin_t (dir (getattr open search))) + (allow sudo_type passwd_exec_t (file (ioctl read getattr map execute open))) + (allow sudo_type passwd_t (process (transition))) + (typetransition sudo_type passwd_exec_t process passwd_t) + (allow passwd_t sudo_type (fd (use))) + (allow passwd_t sudo_type (fifo_file (ioctl read write getattr lock append))) + (allow passwd_t sudo_type (process (sigchld))) + ) + ) + ) +) + +(macro confinedom_user_login_macro ((type utype) (role urole) (type gkeyringd_type) (type dbusd_type) (boolean exec_content_bool)) + (optional confinedom_user_login_optional_2 + (roletype object_r utype) + (typeattributeset cil_gen_require userdomain) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset cil_gen_require user_devpts_t) + (typeattributeset cil_gen_require user_tty_device_t) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require user_tmp_type) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require user_home_content_type) + (typeattributeset cil_gen_require polymember) + (typeattributeset cil_gen_require nfs_t) + (typeattributeset cil_gen_require cifs_t) + (typeattributeset cil_gen_require bsdpty_device_t) + (typeattributeset cil_gen_require devpts_t) + (typeattributeset cil_gen_require ptmx_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require ttynode) + (typeattributeset cil_gen_require ptynode) + (typeattributeset cil_gen_require console_device_t) + (typeattributeset cil_gen_require tty_device_t) + (typeattributeset cil_gen_require server_ptynode) + (typeattributeset cil_gen_require device_node) + (typeattributeset cil_gen_require virtio_device_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require base_ro_file_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require passwd_file_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require boot_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require filesystem_type) + (typeattributeset cil_gen_require fs_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require init_exec_t) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (typeattributeset cil_gen_require kernel_t) + (typeattributeset cil_gen_require sysctl_type) + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require proc_net_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require locale_t) + (typeattributeset cil_gen_require mount_var_run_t) + (typeattributeset cil_gen_require sound_device_t) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require selinux_config_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require default_context_t) + (typeattributeset cil_gen_require file_context_t) + (typeattributeset cil_gen_require fixed_disk_device_t) + (typeattributeset cil_gen_require systemd_hostnamed_t) + (typeattributeset cil_gen_require systemd_tmpfiles_exec_t) + (typeattributeset cil_gen_require udev_var_run_t) + (roleattributeset cil_gen_require urole) + (roletype urole utype) + (roletype urole user_tmp_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (utype )) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset login_confinedom (utype )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (utype )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (utype )) + (typeattributeset cil_gen_require device_node) + (typeattributeset device_node (user_devpts_t )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (utype shell_exec_t )) + (typeattributeset cil_gen_require ptynode) + (typeattributeset ptynode (user_devpts_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (utype shell_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (shell_exec_t )) + (typeattributeset cil_gen_require user_home_content_type) + (typeattributeset user_home_content_type (utype )) + (typeattributeset cil_gen_require polymember) + (typeattributeset polymember (utype )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (utype )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (utype )) + (typeattributeset cil_gen_require userdom_filetrans_type) + (typeattributeset userdom_filetrans_type (utype )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (utype )) + (typeattributeset cil_gen_require user_home_type) + (typeattributeset user_home_type (utype )) + (typeattributeset cil_gen_require userdomain) + (typeattributeset userdomain (utype )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (shell_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (utype shell_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (utype )) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset process_user_target (utype )) + (allow utype shell_exec_t (file (entrypoint))) + (allow utype shell_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (typemember utype tmp_t dir user_tmp_t) + (allow utype user_tmp_type (dir (mounton))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype tmp_t fifo_file user_tmp_t) + (typetransition utype tmp_t sock_file user_tmp_t) + (typetransition utype tmp_t lnk_file user_tmp_t) + (typetransition utype tmp_t dir user_tmp_t) + (typetransition utype tmp_t file user_tmp_t) + (allow user_tmp_t tmpfs_t (filesystem (associate))) + (allow utype tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype tmpfs_t fifo_file user_tmp_t) + (typetransition utype tmpfs_t sock_file user_tmp_t) + (typetransition utype tmpfs_t lnk_file user_tmp_t) + (typetransition utype tmpfs_t dir user_tmp_t) + (typetransition utype tmpfs_t file user_tmp_t) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (dir (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (lnk_file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (sock_file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (dir (getattr open search))) + (allow utype user_tmp_type (fifo_file (getattr relabelfrom relabelto))) + (allow utype user_tmp_type (file (map))) + (allow utype home_root_t (dir (ioctl read getattr lock open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_home_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition utype user_home_dir_t fifo_file user_home_t) + (typetransition utype user_home_dir_t sock_file user_home_t) + (typetransition utype user_home_dir_t lnk_file user_home_t) + (typetransition utype user_home_dir_t dir user_home_t) + (typetransition utype user_home_dir_t file user_home_t) + (allow login_confinedom self (capability (mknod))) + (allow login_confinedom user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow login_confinedom user_tmp_t (chr_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow login_confinedom tmpfs_t (dir (getattr open search))) + (allow login_confinedom tmp_t (dir (getattr open search))) + (allow login_confinedom tmp_t (lnk_file (read getattr))) + (allow login_confinedom tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype user_tmp_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype user_home_t (filesystem (associate))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open))) + (allow utype devpts_t (dir (ioctl read getattr lock open search))) + (allow utype devpts_t (filesystem (getattr))) + (dontaudit utype bsdpty_device_t (chr_file (read write getattr))) + (typetransition utype devpts_t chr_file user_devpts_t) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype devpts_t (dir (ioctl read getattr lock open search))) + (allow utype devpts_t (chr_file (ioctl read write getattr lock append open))) + (allow utype ttynode (chr_file (ioctl read write getattr lock append open))) + (allow utype ptynode (chr_file (ioctl read write getattr lock append open))) + (allow utype console_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype tty_device_t (chr_file (ioctl read write getattr lock append open))) + (allow user_devpts_t devpts_t (filesystem (associate))) + (allow utype user_devpts_t (chr_file (setattr))) + (typechange utype server_ptynode chr_file user_devpts_t) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype virtio_device_t (chr_file (ioctl read write getattr lock append open))) + (allow utype utype (capability (chown dac_read_search setgid setuid audit_write))) + (allow utype utype (dbus (acquire_svc))) + (allow utype utype (process (setsched setcap setfscreate setsockcreate))) + (allow utype utype (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write nlmsg_relay))) + (allow utype utype (netlink_kobject_uevent_socket (create getattr bind getopt setopt))) + (allow utype utype (unix_dgram_socket (ioctl create bind connect getopt setopt sendto))) + (allow utype utype (unix_stream_socket (connectto))) + (allow utype utype (context (contains))) + (dontaudit utype exec_type (file (execute execute_no_trans))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (ioctl read getattr lock open search))) + (allow utype bin_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (ioctl read getattr lock open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype shell_exec_t (file (map))) + (allow utype application_exec_type (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype chkpwd_t (process (transition))) + (typetransition utype chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t utype (fd (use))) + (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t utype (process (sigchld))) + (dontaudit utype shadow_t (file (read getattr))) + (allow utype updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype updpwd_t (process (transition))) + (typetransition utype updpwd_exec_t process updpwd_t) + (allow updpwd_t utype (fd (use))) + (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t utype (process (sigchld))) + (dontaudit utype shadow_t (file (ioctl read getattr lock open))) + (allow utype passwd_file_t (file (ioctl read getattr lock open))) + (allow utype init_t (dbus (send_msg))) + (allow init_t utype (dbus (send_msg))) + (dontaudit utype boot_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (dontaudit utype boot_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype cgroup_t (filesystem (getattr))) + (allow utype filesystem_type (dir (getattr))) + (allow utype tmpfs_t (filesystem (getattr))) + (allow utype fs_t (filesystem (getattr))) + (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cgroup_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cgroup_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype cgroup_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype cgroup_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmpfs_t (file (ioctl read getattr lock open))) + (allow utype filesystem_type (dir (getattr open search))) + (allow utype init_exec_t (file (entrypoint))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype init_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_t (system (status))) + (allow utype init_t (service (status))) + (allow utype kernel_t (unix_dgram_socket (sendto))) + (allow utype sysctl_type (dir (getattr open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype sysctl_type (file (ioctl read getattr lock open))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype sysctl_type (dir (ioctl read getattr lock open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype proc_net_t (file (ioctl read getattr lock open))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (getattr open search))) + (allow utype proc_net_t (lnk_file (read getattr))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_net_t (dir (ioctl read getattr lock open search))) + (allow utype kernel_t (system (module_request))) + (allow utype kernel_t (unix_stream_socket (getattr connectto))) + (allow utype locale_t (dir (getattr open search))) + (allow utype locale_t (lnk_file (getattr watch))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (file (ioctl read getattr lock open))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (ioctl read getattr lock open search watch watch_reads))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (getattr open search))) + (allow utype mount_var_run_t (dir (getattr watch))) + (allow utype device_t (dir (getattr open search))) + (allow utype sound_device_t (chr_file (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (file (ioctl read getattr lock open))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (lnk_file (read getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (ioctl read getattr lock open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype proc_t (dir (getattr open search))) + (allow utype domain (dir (ioctl read getattr lock open search))) + (allow utype domain (dir (getattr open search))) + (allow utype domain (file (ioctl read getattr lock open))) + (allow utype domain (dir (getattr open search))) + (allow utype domain (lnk_file (read getattr))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype security_t (security (compute_av))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read write getattr lock append open))) + (allow utype security_t (security (compute_create))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype sysfs_t (filesystem (getattr))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype security_t (filesystem (getattr))) + (allow utype security_t (dir (ioctl read getattr lock open search))) + (allow utype security_t (file (ioctl read getattr map open))) + (allow utype security_t (lnk_file (read getattr))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (ioctl read getattr lock open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype selinux_config_t (file (ioctl read getattr lock open))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype selinux_config_t (lnk_file (read getattr))) + (allow utype etc_t (dir (getattr open search))) + (allow utype selinux_config_t (dir (getattr open search))) + (allow utype default_context_t (dir (getattr open search))) + (allow utype file_context_t (dir (getattr open search))) + (allow utype file_context_t (dir (ioctl read getattr lock open search))) + (allow utype file_context_t (dir (getattr open search))) + (allow utype file_context_t (file (ioctl read getattr lock open))) + (allow utype file_context_t (dir (getattr open search))) + (allow utype file_context_t (lnk_file (read getattr))) + (allow utype file_context_t (file (map))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype fixed_disk_device_t (blk_file (getattr))) + (allow utype systemd_hostnamed_t (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dbus (send_msg))) + (allow systemd_hostnamed_t utype (dir (ioctl read getattr lock open search))) + (allow systemd_hostnamed_t utype (file (ioctl read getattr lock open))) + (allow systemd_hostnamed_t utype (lnk_file (read getattr))) + (allow systemd_hostnamed_t utype (process (getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (allow utype systemd_tmpfiles_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype systemd_passwd_var_run_t (dir (getattr watch))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (file (ioctl read getattr lock open))) + (allow utype systemd_unit_file_type (lnk_file (read getattr))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype udev_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype udev_var_run_t (dir (getattr open search))) + (allow utype udev_var_run_t (file (ioctl read getattr lock open))) + (allow utype udev_var_run_t (dir (getattr open search))) + (allow utype udev_var_run_t (lnk_file (read getattr))) + (roleallow system_r urole) + (booleanif (deny_bluetooth) + (false + (allow utype self (bluetooth_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + ) + ) + (booleanif (and (exec_content_bool) (use_samba_home_dirs)) + (true + (allow utype cifs_t (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype cifs_t (dir (getattr open search))) + (allow utype cifs_t (dir (ioctl read getattr lock open search))) + ) + ) + (booleanif (and (exec_content_bool) (use_nfs_home_dirs)) + (true + (allow utype nfs_t (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype nfs_t (dir (getattr open search))) + (allow utype nfs_t (dir (ioctl read getattr lock open search))) + ) + ) + (booleanif (exec_content_bool) + (true + (allow utype user_home_type (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_type (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype user_tmp_t (file (ioctl read getattr map execute open execute_no_trans))) + (allow utype user_tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (file (entrypoint))) + ) + ) + (optional confinedom_user_login_optional_3 + (typeattributeset cil_gen_require sssd_public_t) + (typeattributeset cil_gen_require sssd_var_lib_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require sssd_t) + (typeattributeset cil_gen_require var_run_t) + (allow utype sssd_var_lib_t (dir (getattr open search))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype sssd_public_t (dir (getattr open search))) + (allow utype sssd_public_t (dir (ioctl read getattr lock open search))) + (allow utype sssd_public_t (dir (getattr open search))) + (allow utype sssd_public_t (file (ioctl read getattr lock open))) + (allow utype sssd_public_t (file (map))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype sssd_var_lib_t (dir (getattr open search))) + (allow utype sssd_var_lib_t (sock_file (write getattr append open))) + (allow utype sssd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_user_login_optional_4 + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (optional confinedom_user_login_optional_5 + (typeattributeset cil_gen_require bluetooth_t) + (allow utype bluetooth_t (dbus (send_msg))) + (allow bluetooth_t utype (dbus (send_msg))) + ) + (optional confinedom_user_login_optional_6 + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require base_ro_file_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require chkpwd_t) + (typeattributeset cil_gen_require chkpwd_exec_t) + (typeattributeset cil_gen_require shadow_t) + (typeattributeset cil_gen_require updpwd_t) + (typeattributeset cil_gen_require updpwd_exec_t) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require cronjob_t) + (typeattributeset cil_gen_require crontab_t) + (typeattributeset cil_gen_require crontab_exec_t) + (typeattributeset cil_gen_require user_cron_spool_t) + (typeattributeset cil_gen_require crond_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require auth_cache_t) + (typeattributeset cil_gen_require random_device_t) + (typeattributeset cil_gen_require urandom_device_t) + (typeattributeset cil_gen_require faillog_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require cert_t) + (typeattributeset cil_gen_require userdom_home_reader_type) + (roleattributeset cil_gen_require urole) + (roletype urole cronjob_t) + (roletype urole crontab_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (utype )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (utype )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (utype )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (crontab_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (crontab_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (crontab_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (utype )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (utype )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (utype )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (crontab_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (utype )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (crontab_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (crontab_exec_t )) + (typeattributeset cil_gen_require userdom_home_reader_type) + (typeattributeset userdom_home_reader_type (utype )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (utype )) + (allow utype crontab_exec_t (file (ioctl read getattr map execute open))) + (allow utype crontab_t (process (transition))) + (typetransition utype crontab_exec_t process crontab_t) + (allow crontab_t utype (fd (use))) + (allow crontab_t utype (fifo_file (ioctl read write getattr lock append))) + (allow crontab_t utype (process (sigchld))) + (dontaudit crond_t utype (process (noatsecure siginh rlimitinh))) + (allow utype crond_t (process (sigchld))) + (allow utype user_cron_spool_t (file (ioctl read write getattr))) + (allow utype crontab_t (process (sigchld sigkill sigstop signull signal))) + (allow utype crontab_t (dir (ioctl read getattr lock open search))) + (allow utype crontab_t (file (ioctl read getattr lock open))) + (allow utype crontab_t (lnk_file (read getattr))) + (allow utype crontab_t (process (getattr))) + (allow utype crontab_exec_t (file (entrypoint))) + (allow utype crontab_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype auth_cache_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype chkpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype chkpwd_t (process (transition))) + (typetransition utype chkpwd_exec_t process chkpwd_t) + (allow chkpwd_t utype (fd (use))) + (allow chkpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow chkpwd_t utype (process (sigchld))) + (allow utype chkpwd_exec_t (file (map))) + (dontaudit utype shadow_t (file (ioctl read getattr lock open))) + (allow utype device_t (dir (getattr open search))) + (allow utype random_device_t (chr_file (ioctl read getattr lock open))) + (allow utype device_t (dir (getattr open search))) + (allow utype urandom_device_t (chr_file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype faillog_t (dir (getattr open search))) + (allow utype faillog_t (file (ioctl read write getattr lock append open))) + (allow utype self (capability (audit_write))) + (allow utype self (netlink_audit_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_relay nlmsg_tty_audit))) + (allow utype cert_t (dir (ioctl read getattr lock open search))) + (allow utype cert_t (dir (getattr open search))) + (allow utype cert_t (file (ioctl read getattr lock open))) + (allow utype cert_t (dir (getattr open search))) + (allow utype cert_t (lnk_file (read getattr))) + (allow utype updpwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype updpwd_t (process (transition))) + (typetransition utype updpwd_exec_t process updpwd_t) + (allow updpwd_t utype (fd (use))) + (allow updpwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow updpwd_t utype (process (sigchld))) + (dontaudit utype shadow_t (file (ioctl read getattr lock open))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (lnk_file (read getattr))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (dir (ioctl read getattr lock open search))) + (allow crontab_t bin_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow crontab_t base_ro_file_type (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (dir (ioctl read getattr lock open search))) + (allow crontab_t bin_t (dir (getattr open search))) + (allow crontab_t bin_t (lnk_file (read getattr))) + (allow crontab_t shell_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow crontab_t shell_exec_t (file (map))) + (booleanif (cron_userdomain_transition) + (true + (allow utype cronjob_t (process (getattr))) + (allow utype cronjob_t (lnk_file (read getattr))) + (allow utype cronjob_t (file (ioctl read getattr lock open))) + (allow utype cronjob_t (dir (ioctl read getattr lock open search))) + (allow utype cronjob_t (process (sigchld sigkill sigstop signull signal))) + (allow utype crond_t (fifo_file (ioctl read write getattr lock append open))) + (allow utype user_cron_spool_t (file (entrypoint))) + (allow crond_t utype (key (view read write search link setattr create))) + (allow crond_t utype (fd (use))) + (allow crond_t utype (process (transition))) + ) + (false + (dontaudit utype cronjob_t (process (sigchld sigkill sigstop signull signal))) + (dontaudit utype crond_t (fifo_file (ioctl read write getattr lock append open))) + (dontaudit utype user_cron_spool_t (file (entrypoint))) + (dontaudit crond_t utype (key (view read write search link setattr create))) + (dontaudit crond_t utype (fd (use))) + (dontaudit crond_t utype (process (transition))) + ) + ) + (booleanif (deny_ptrace) + (false + (allow utype crontab_t (process (ptrace))) + ) + ) + (optional confinedom_user_login_optional_7 + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require krb5_keytab_t) + (allow utype etc_t (dir (getattr open search))) + (allow utype krb5_keytab_t (dir (ioctl read getattr lock open search))) + (allow utype krb5_keytab_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_user_login_optional_8 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require pcscd_var_run_t) + (typeattributeset cil_gen_require pcscd_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (file (ioctl read getattr lock open))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (dir (getattr open search))) + (allow utype pcscd_var_run_t (sock_file (write getattr append open))) + (allow utype pcscd_t (unix_stream_socket (connectto))) + ) + (optional confinedom_user_login_optional_9 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require etc_t) + (typeattributeset cil_gen_require samba_var_t) + (typeattributeset cil_gen_require winbind_t) + (typeattributeset cil_gen_require winbind_var_run_t) + (typeattributeset cil_gen_require smbd_var_run_t) + (typeattributeset cil_gen_require samba_etc_t) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype smbd_var_run_t (dir (getattr open search))) + (allow utype samba_var_t (dir (getattr open search))) + (allow utype winbind_var_run_t (dir (getattr open search))) + (allow utype winbind_var_run_t (sock_file (write getattr append open))) + (allow utype winbind_t (unix_stream_socket (connectto))) + (allow utype etc_t (dir (getattr open search))) + (allow utype samba_etc_t (dir (getattr open search))) + (allow utype samba_etc_t (dir (ioctl read getattr lock open search))) + (allow utype samba_etc_t (dir (getattr open search))) + (allow utype samba_etc_t (file (ioctl read getattr lock open))) + ) + (optional confinedom_user_login_optional_10 + (typeattributeset cil_gen_require system_dbusd_t) + (allow cronjob_t utype (dbus (send_msg))) + ) + ) + (optional confinedom_user_login_optional_11 + ;(type dbusd_type) + (roletype object_r dbusd_type) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require security_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require system_dbusd_t) + (typeattributeset cil_gen_require session_dbusd_tmp_t) + (typeattributeset cil_gen_require dbusd_unconfined) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset cil_gen_require dbusd_exec_t) + (typeattributeset cil_gen_require dbusd_etc_t) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require usr_t) + (roleattributeset cil_gen_require urole) + (roletype urole dbusd_type) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (dbusd_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (dbusd_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (dbusd_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (dbusd_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (dbusd_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (dbusd_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (dbusd_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (dbusd_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (dbusd_type )) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset session_bus_type (dbusd_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (dbusd_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (dbusd_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (dbusd_type )) + (allow utype session_dbusd_tmp_t (dir (ioctl write getattr lock open add_name search))) + (allow utype session_dbusd_tmp_t (sock_file (create getattr setattr open))) + (allow utype system_dbusd_t (dbus (send_msg))) + (allow dbusd_type dbusd_exec_t (file (entrypoint))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type security_t (lnk_file (read getattr))) + (allow dbusd_type sysfs_t (filesystem (getattr))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type sysfs_t (dir (getattr open search))) + (allow dbusd_type security_t (filesystem (getattr))) + (allow utype dbusd_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow dbusd_type utype (unix_stream_socket (read write getattr accept getopt))) + (allow dbusd_type utype (unix_dgram_socket (sendto))) + (allow utype dbusd_type (dbus (acquire_svc send_msg))) + (allow dbusd_unconfined dbusd_type (dbus (acquire_svc send_msg))) + (allow utype system_dbusd_t (dbus (acquire_svc send_msg))) + (allow utype dbusd_type (process (noatsecure siginh rlimitinh))) + (allow dbusd_type utype (dbus (send_msg))) + (allow utype dbusd_type (dbus (send_msg))) + (allow dbusd_type utype (system (start reload))) + (allow dbusd_type session_dbusd_tmp_t (service (start stop))) + (allow utype session_dbusd_tmp_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype session_dbusd_tmp_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow dbusd_type dbusd_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype dbusd_exec_t (file (ioctl read getattr map execute open))) + (allow utype dbusd_type (process (transition))) + (typetransition utype dbusd_exec_t process dbusd_type) + (allow dbusd_type utype (fd (use))) + (allow dbusd_type utype (fifo_file (ioctl read write getattr lock append))) + (allow dbusd_type utype (process (sigchld))) + (allow utype dbusd_type (dir (ioctl read getattr lock open search))) + (allow utype dbusd_type (file (ioctl read getattr lock open))) + (allow utype dbusd_type (lnk_file (read getattr))) + (allow utype dbusd_type (process (getattr))) + (allow utype dbusd_type (process (sigchld sigkill sigstop signull signal))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type bin_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (allow dbusd_type usr_t (dir (getattr open search))) + (allow dbusd_type usr_t (lnk_file (read getattr))) + (allow dbusd_type usr_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type bin_t process utype) + (typetransition dbusd_type usr_t process utype) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (dir (ioctl read getattr lock open search))) + (allow dbusd_type bin_t (dir (getattr open search))) + (allow dbusd_type bin_t (lnk_file (read getattr))) + (allow dbusd_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type shell_exec_t process utype) + (allow dbusd_type utype (process (sigkill))) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append open))) + (allow dbusd_type file_type (service (start stop status reload enable disable))) + (dontaudit dbusd_type self (capability (net_admin))) + (allow utype session_dbusd_tmp_t (dir (getattr open search))) + (allow utype session_dbusd_tmp_t (sock_file (write getattr append open))) + (booleanif (deny_ptrace) + (false + (allow utype dbusd_type (process (ptrace))) + ) + ) + (optional confinedom_user_login_optional_12 + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require mozilla_exec_t) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (mozilla_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (mozilla_exec_t )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (mozilla_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (mozilla_exec_t )) + (allow utype mozilla_exec_t (file (entrypoint))) + (allow utype mozilla_exec_t (file (ioctl read getattr lock map execute open))) + (allow dbusd_type mozilla_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type utype (process (transition))) + (typetransition dbusd_type mozilla_exec_t process utype) + (allow utype dbusd_type (fd (use))) + (allow utype dbusd_type (fifo_file (ioctl read write getattr lock append))) + (allow utype dbusd_type (process (sigchld))) + ) + (optional confinedom_user_login_optional_13 + (typeattributeset cil_gen_require systemd_unit_file_t) + (allow dbusd_type systemd_unit_file_t (service (start))) + ) + ) + (optional confinedom_user_login_optional_14 + ;(type gkeyringd_type) + (roletype object_r gkeyringd_type) + (roleattributeset cil_gen_require gconfd_roles) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require gnomedomain) + (typeattributeset cil_gen_require gkeyringd_domain) + (typeattributeset cil_gen_require gnome_home_type) + (typeattributeset cil_gen_require gkeyringd_exec_t) + (typeattributeset cil_gen_require gkeyringd_tmp_t) + (typeattributeset cil_gen_require gconfd_t) + (typeattributeset cil_gen_require gconfd_exec_t) + (typeattributeset cil_gen_require gconf_tmp_t) + (typeattributeset cil_gen_require cache_home_t) + (roleattributeset cil_gen_require urole) + (roletype urole gkeyringd_type) + (roleattributeset cil_gen_require gconfd_roles) + (roleattributeset gconfd_roles (urole )) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (gkeyringd_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (gkeyringd_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (gkeyringd_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (gkeyringd_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (gkeyringd_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (gkeyringd_type )) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (gkeyringd_type )) + (typeattributeset cil_gen_require gnomedomain) + (typeattributeset gnomedomain (gkeyringd_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require gkeyringd_domain) + (typeattributeset gkeyringd_domain (gkeyringd_type )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (gkeyringd_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (gkeyringd_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (gkeyringd_type )) + (typeattributeset cil_gen_require process_user_target) + (typeattributeset process_user_target (gkeyringd_type )) + (allow gkeyringd_type gkeyringd_exec_t (file (entrypoint))) + (allow gkeyringd_type gkeyringd_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype gconfd_exec_t (file (ioctl read getattr map execute open))) + (allow utype gconfd_t (process (transition))) + (typetransition utype gconfd_exec_t process gconfd_t) + (allow gconfd_t utype (fd (use))) + (allow gconfd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow gconfd_t utype (process (sigchld))) + (allow utype gconfd_t (process (sigchld sigkill sigstop signull signal))) + (allow utype gconfd_t (unix_stream_socket (connectto))) + (allow utype gconfd_t (dir (ioctl read getattr lock open search))) + (allow utype gconfd_t (file (ioctl read getattr lock open))) + (allow utype gconfd_t (lnk_file (read getattr))) + (allow utype gconfd_t (process (getattr))) + (allow gkeyringd_type utype (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow gkeyringd_type self (process (setsched))) + (allow utype gkeyringd_exec_t (file (ioctl read getattr map execute open))) + (allow utype gkeyringd_type (process (transition))) + (typetransition utype gkeyringd_exec_t process gkeyringd_type) + (allow gkeyringd_type utype (fd (use))) + (allow gkeyringd_type utype (fifo_file (ioctl read write getattr lock append))) + (allow gkeyringd_type utype (process (sigchld))) + (allow utype gnome_home_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype gkeyringd_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype gconf_tmp_t (dir (ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow utype gnome_home_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype gkeyringd_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype gconf_tmp_t (file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open watch watch_reads))) + (allow utype gkeyringd_tmp_t (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open))) + (allow utype gkeyringd_type (dir (ioctl read getattr lock open search))) + (allow utype gkeyringd_type (file (ioctl read getattr lock open))) + (allow utype gkeyringd_type (lnk_file (read getattr))) + (allow utype gkeyringd_type (process (getattr))) + (allow utype gkeyringd_type (process (sigchld sigkill sigstop signull signal))) + (dontaudit utype gkeyringd_exec_t (file (entrypoint))) + (allow gkeyringd_type utype (process (sigkill))) + (allow utype gkeyringd_type (fd (use))) + (allow utype gkeyringd_type (fifo_file (ioctl read write getattr lock append open))) + (allow utype gkeyringd_type (dbus (acquire_svc))) + (allow utype gkeyringd_tmp_t (dir (getattr open search))) + (allow utype gkeyringd_tmp_t (sock_file (write getattr append open))) + (allow utype gkeyringd_type (unix_stream_socket (connectto))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (lnk_file (read getattr))) + (allow gkeyringd_type bin_t (file (ioctl read getattr map execute open))) + (allow gkeyringd_type utype (process (transition))) + (allow gkeyringd_type usr_t (dir (getattr open search))) + (allow gkeyringd_type usr_t (lnk_file (read getattr))) + (allow gkeyringd_type usr_t (file (ioctl read getattr map execute open))) + (allow gkeyringd_type utype (process (transition))) + (typetransition gkeyringd_type bin_t process utype) + (typetransition gkeyringd_type usr_t process utype) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (lnk_file (read getattr))) + (allow gkeyringd_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow gkeyringd_type utype (process (transition))) + (typetransition gkeyringd_type shell_exec_t process utype) + (allow utype gconf_tmp_t (dir (getattr open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype tmp_t (lnk_file (read getattr))) + (allow utype tmp_t (dir (getattr open search))) + (allow utype user_tmp_t (dir (getattr open search))) + (allow utype gkeyringd_tmp_t (dir (getattr open search))) + (allow utype gkeyringd_tmp_t (sock_file (write getattr append open))) + (allow utype gkeyringd_domain (unix_stream_socket (connectto))) + (allow utype cache_home_t (dir (getattr open search))) + (allow utype cache_home_t (sock_file (write getattr append open))) + (allow utype gkeyringd_domain (unix_stream_socket (connectto))) + (allow gkeyringd_type utype (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type utype (file (ioctl read getattr lock open))) + (allow gkeyringd_type utype (lnk_file (read getattr))) + (allow gkeyringd_type utype (process (getattr))) + (allow gkeyringd_type user_tmp_t (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type user_tmp_t (sock_file (read write getattr append))) + (allow gkeyringd_type tmpfs_t (dir (getattr open search))) + (allow gkeyringd_type tmp_t (dir (getattr open search))) + (allow gkeyringd_type tmp_t (lnk_file (read getattr))) + (allow gkeyringd_type tmp_t (dir (getattr open search))) + (allow gkeyringd_type utype (dbus (acquire_svc send_msg))) + (allow utype gkeyringd_type (dbus (send_msg))) + (optional confinedom_user_login_optional_15 + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require system_dbusd_t) + (typeattributeset cil_gen_require session_bus_type) + (typeattributeset cil_gen_require dbusd_type) + (typeattributeset cil_gen_require gnome_home_t) + (typeattributeset cil_gen_require data_home_t) + (typeattributeset cil_gen_require gconf_home_t) + (allow dbusd_type gkeyringd_exec_t (file (ioctl read getattr map execute open))) + (allow dbusd_type gkeyringd_type (process (transition))) + (typetransition dbusd_type gkeyringd_exec_t process gkeyringd_type) + (allow gkeyringd_type dbusd_type (fd (use))) + (allow gkeyringd_type dbusd_type (fifo_file (ioctl read write getattr lock append))) + (allow gkeyringd_type dbusd_type (process (sigchld))) + (allow gkeyringd_type session_bus_type (dbus (send_msg))) + (allow gkeyringd_type self (dbus (send_msg))) + (allow gkeyringd_type session_bus_type (unix_stream_socket (connectto))) + (allow session_bus_type gkeyringd_type (process (sigkill))) + (allow gkeyringd_type session_bus_type (dbus (acquire_svc))) + (allow gkeyringd_type system_dbusd_t (unix_stream_socket (connectto))) + (allow gkeyringd_type system_dbusd_t (dbus (send_msg))) + (allow gkeyringd_type user_home_dir_t (dir (getattr open search))) + (allow gkeyringd_type user_home_dir_t (lnk_file (read getattr))) + (allow gkeyringd_type home_root_t (dir (getattr open search))) + (allow gkeyringd_type home_root_t (lnk_file (read getattr))) + (allow gkeyringd_type gnome_home_t (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow gkeyringd_type data_home_t (dir (getattr open search))) + (allow gkeyringd_type gconf_home_t (dir (getattr open search))) + (allow gkeyringd_type data_home_t (file (ioctl read getattr lock open))) + (allow gkeyringd_type data_home_t (dir (getattr open search))) + (allow gkeyringd_type gconf_home_t (dir (getattr open search))) + (allow gkeyringd_type data_home_t (lnk_file (read getattr))) + (allow gkeyringd_type data_home_t (dir (getattr open search))) + (allow gkeyringd_type gconf_home_t (dir (getattr open search))) + (allow gkeyringd_type data_home_t (dir (ioctl read getattr lock open search))) + (optional confinedom_user_login_optional_16 + (typeattributeset cil_gen_require proc_t) + (typeattributeset cil_gen_require telepathy_mission_control_t) + (typeattributeset cil_gen_require telepathy_gabble_t) + (allow gkeyringd_type proc_t (dir (getattr open search))) + (allow gkeyringd_type proc_t (dir (getattr open search))) + (allow gkeyringd_type telepathy_mission_control_t (dir (ioctl read getattr lock open search))) + (allow gkeyringd_type telepathy_mission_control_t (file (ioctl read getattr lock open))) + (allow gkeyringd_type telepathy_mission_control_t (lnk_file (read getattr))) + (allow gkeyringd_type telepathy_mission_control_t (process (getattr))) + (allow telepathy_gabble_t gkeyringd_tmp_t (dir (getattr open search))) + (allow telepathy_gabble_t gkeyringd_tmp_t (sock_file (write getattr append open))) + (allow telepathy_gabble_t gkeyringd_type (unix_stream_socket (connectto))) + ) + (optional confinedom_user_login_optional_17 + (typeattributeset cil_gen_require systemd_logind_t) + (allow gkeyringd_type systemd_logind_t (dbus (send_msg))) + (allow systemd_logind_t gkeyringd_type (dbus (send_msg))) + (allow systemd_logind_t gkeyringd_type (dir (ioctl read getattr lock open search))) + (allow systemd_logind_t gkeyringd_type (file (ioctl read getattr lock open))) + (allow systemd_logind_t gkeyringd_type (lnk_file (read getattr))) + (allow systemd_logind_t gkeyringd_type (process (getattr))) + (allow systemd_logind_t gkeyringd_type (process (signal))) + (allow gkeyringd_type systemd_logind_t (fd (use))) + ) + ) + (optional confinedom_user_login_optional_18 + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require ssh_agent_exec_t) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (lnk_file (read getattr))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type bin_t (dir (getattr open search))) + (allow gkeyringd_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + ) + ) + (optional confinedom_user_login_optional_19 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require locate_var_lib_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype locate_var_lib_t (dir (getattr open search))) + (allow utype locate_var_lib_t (file (ioctl read getattr lock open))) + (allow utype locate_var_lib_t (dir (ioctl read getattr lock open search))) + ) + (optional confinedom_user_login_optional_20 + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require mail_spool_t) + (typeattributeset cil_gen_require var_spool_t) + (allow utype var_t (dir (getattr open search))) + (allow utype var_spool_t (dir (getattr open search))) + (allow utype mail_spool_t (dir (ioctl read getattr lock open search))) + (allow utype mail_spool_t (dir (getattr open search))) + (allow utype mail_spool_t (file (getattr))) + (allow utype mail_spool_t (dir (getattr open search))) + (allow utype mail_spool_t (lnk_file (read getattr))) + ) + ) + ) +) + +(macro confined_ssh_connect_macro ((type utype) (role urole) (type ssh_agent_type)) + (optional confined_ssh_connect_macro_optional + (typeattributeset cil_gen_require sshd_t) + (typeattributeset cil_gen_require ptmx_t) + (typeattributeset cil_gen_require device_t) + (typeattributeset cil_gen_require sshd_devpts_t) + (typeattributeset cil_gen_require ssh_server) + (typeattributeset cil_gen_require ssh_t) + (typeattributeset cil_gen_require ssh_exec_t) + (typeattributeset cil_gen_require ssh_tmpfs_t) + (typeattributeset cil_gen_require ssh_home_t) + (typeattributeset cil_gen_require ssh_agent_exec_t) + (typeattributeset cil_gen_require ssh_keysign_t) + (typeattributeset cil_gen_require ssh_agent_tmp_t) + (typeattributeset cil_gen_require cache_home_t) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset cil_gen_require domain) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset cil_gen_require exec_type) + (typeattributeset cil_gen_require file_type) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset cil_gen_require entry_type) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset cil_gen_require privfd) + (typeattributeset cil_gen_require user_home_dir_t) + (typeattributeset cil_gen_require home_root_t) + (typeattributeset cil_gen_require user_tmp_type) + (typeattributeset cil_gen_require user_tmp_t) + (typeattributeset cil_gen_require tmp_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset cil_gen_require shell_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require usr_t) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset cil_gen_require tty_device_t) + (typeattributeset cil_gen_require user_home_t) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset cil_gen_require ssh_keygen_exec_t) + (roleattributeset cil_gen_require urole) + (roletype object_r ssh_agent_type) + (roletype urole ssh_t) + (roletype urole ssh_agent_type) + (roletype urole user_tmp_t) + (typeattributeset cil_gen_require netlabel_peer_type) + (typeattributeset netlabel_peer_type (ssh_agent_type )) + (typeattributeset cil_gen_require corenet_unlabeled_type) + (typeattributeset corenet_unlabeled_type (ssh_agent_type )) + (typeattributeset cil_gen_require privfd) + (typeattributeset privfd (ssh_agent_type )) + (typeattributeset cil_gen_require syslog_client_type) + (typeattributeset syslog_client_type (ssh_agent_type )) + (typeattributeset cil_gen_require file_type) + (typeattributeset file_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require non_security_file_type) + (typeattributeset non_security_file_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require exec_type) + (typeattributeset exec_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require application_domain_type) + (typeattributeset application_domain_type (ssh_agent_type )) + (typeattributeset cil_gen_require userdom_home_manager_type) + (typeattributeset userdom_home_manager_type (ssh_agent_type )) + (typeattributeset cil_gen_require ubac_constrained_type) + (typeattributeset ubac_constrained_type (ssh_agent_type )) + (typeattributeset cil_gen_require ssh_agent_type) + (typeattributeset cil_gen_require kernel_system_state_reader) + (typeattributeset kernel_system_state_reader (ssh_agent_type )) + (typeattributeset cil_gen_require application_exec_type) + (typeattributeset application_exec_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require nsswitch_domain) + (typeattributeset nsswitch_domain (ssh_agent_type )) + (typeattributeset cil_gen_require entry_type) + (typeattributeset entry_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require non_auth_file_type) + (typeattributeset non_auth_file_type (ssh_agent_exec_t )) + (typeattributeset cil_gen_require domain) + (typeattributeset domain (ssh_agent_type )) + (allow sshd_t utype (process (dyntransition))) + (allow utype sshd_t (process (sigchld))) + (allow sshd_t utype (process (sigkill sigstop signull signal getattr))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (dir (ioctl read getattr lock open search))) + (allow utype device_t (dir (getattr open search))) + (allow utype device_t (lnk_file (read getattr))) + (allow utype ptmx_t (chr_file (ioctl read write getattr lock append open))) + (allow utype sshd_devpts_t (chr_file (ioctl read write getattr lock append))) + (allow ssh_agent_type ssh_agent_exec_t (file (entrypoint))) + (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open))) + (allow utype ssh_exec_t (file (ioctl read getattr map execute open))) + (allow utype ssh_t (process (transition))) + (typetransition utype ssh_exec_t process ssh_t) + (allow ssh_t utype (fd (use))) + (allow ssh_t utype (fifo_file (ioctl read write getattr lock append))) + (allow ssh_t utype (process (sigchld))) + (allow utype ssh_server (unix_stream_socket (ioctl read write getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow utype ssh_t (dir (ioctl read getattr lock open search))) + (allow utype ssh_t (file (ioctl read getattr lock open))) + (allow utype ssh_t (lnk_file (read getattr))) + (allow utype ssh_t (process (getattr))) + (allow utype ssh_t (process (sigchld sigkill sigstop signull signal))) + (allow ssh_t utype (unix_stream_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown))) + (allow ssh_t utype (unix_stream_socket (connectto))) + (allow ssh_t utype (key (view read write search link setattr create))) + (allow utype ssh_t (key (view read write search))) + (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype ssh_home_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype ssh_home_t (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow utype ssh_home_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype ssh_home_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype user_home_dir_t (dir (getattr open search))) + (allow utype user_home_dir_t (lnk_file (read getattr))) + (allow utype home_root_t (dir (getattr open search))) + (allow utype home_root_t (lnk_file (read getattr))) + (typemember ssh_t tmp_t dir user_tmp_t) + (allow ssh_t user_tmp_type (dir (mounton))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (dir (ioctl read write create getattr setattr lock unlink link rename open watch watch_reads add_name remove_name reparent search rmdir))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (lnk_file (ioctl read write create getattr setattr lock append unlink link rename watch watch_reads))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow ssh_t user_tmp_type (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow ssh_t user_tmp_type (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow ssh_t tmp_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition ssh_t tmp_t fifo_file user_tmp_t) + (typetransition ssh_t tmp_t sock_file user_tmp_t) + (typetransition ssh_t tmp_t lnk_file user_tmp_t) + (typetransition ssh_t tmp_t dir user_tmp_t) + (typetransition ssh_t tmp_t file user_tmp_t) + (allow user_tmp_t tmpfs_t (filesystem (associate))) + (allow ssh_t tmpfs_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (typetransition ssh_t tmpfs_t fifo_file user_tmp_t) + (typetransition ssh_t tmpfs_t sock_file user_tmp_t) + (typetransition ssh_t tmpfs_t lnk_file user_tmp_t) + (typetransition ssh_t tmpfs_t dir user_tmp_t) + (typetransition ssh_t tmpfs_t file user_tmp_t) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (dir (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (lnk_file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (sock_file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (dir (getattr open search))) + (allow ssh_t user_tmp_type (fifo_file (getattr relabelfrom relabelto))) + (allow ssh_t user_tmp_type (file (map))) + (allow ssh_agent_type utype (process (signull))) + (allow ssh_agent_type ssh_agent_type (process (signull))) + (allow ssh_agent_type self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto))) + (allow utype ssh_agent_tmp_t (dir (getattr open search))) + (allow utype ssh_agent_tmp_t (sock_file (write getattr append open))) + (allow utype ssh_agent_type (unix_stream_socket (connectto))) + (allow utype cache_home_t (dir (getattr open search))) + (allow utype cache_home_t (sock_file (write getattr append open))) + (allow utype ssh_agent_type (unix_stream_socket (connectto))) + (allow utype ssh_agent_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown))) + (allow utype ssh_agent_type (process (sigchld sigkill sigstop signull signal))) + (allow utype ssh_agent_type (dir (ioctl read getattr lock open search))) + (allow utype ssh_agent_type (file (ioctl read getattr lock open))) + (allow utype ssh_agent_type (lnk_file (read getattr))) + (allow utype ssh_agent_type (process (getattr))) + (allow ssh_agent_type ssh_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype ssh_agent_exec_t (file (ioctl read getattr map execute open))) + (allow utype ssh_agent_type (process (transition))) + (typetransition utype ssh_agent_exec_t process ssh_agent_type) + (allow ssh_agent_type utype (fd (use))) + (allow ssh_agent_type utype (fifo_file (ioctl read write getattr lock append))) + (allow ssh_agent_type utype (process (sigchld))) + (allow ssh_agent_type bin_t (dir (getattr open search))) + (allow ssh_agent_type bin_t (dir (ioctl read getattr lock open search))) + (allow ssh_agent_type bin_t (dir (getattr open search))) + (allow ssh_agent_type bin_t (lnk_file (read getattr))) + (allow ssh_agent_type shell_exec_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (typetransition ssh_agent_type shell_exec_t process utype) + (allow ssh_agent_type bin_t (dir (getattr open search))) + (allow ssh_agent_type bin_t (lnk_file (read getattr))) + (allow ssh_agent_type bin_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (allow ssh_agent_type usr_t (dir (getattr open search))) + (allow ssh_agent_type usr_t (lnk_file (read getattr))) + (allow ssh_agent_type usr_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (typetransition ssh_agent_type bin_t process utype) + (typetransition ssh_agent_type usr_t process utype) + (allow ssh_agent_type device_t (dir (getattr open search))) + (allow ssh_agent_type device_t (dir (ioctl read getattr lock open search))) + (allow ssh_agent_type device_t (dir (getattr open search))) + (allow ssh_agent_type device_t (lnk_file (read getattr))) + (allow ssh_agent_type tty_device_t (chr_file (ioctl read write getattr lock append open))) + (allow ssh_agent_type user_home_t (file (ioctl read getattr map execute open))) + (allow ssh_agent_type utype (process (transition))) + (typetransition ssh_agent_type user_home_t process utype) + (allow ssh_agent_type user_home_dir_t (dir (getattr open search))) + (allow ssh_agent_type home_root_t (dir (getattr open search))) + (allow ssh_agent_type home_root_t (lnk_file (read getattr))) + (allow utype ssh_keygen_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + ) +) + +(macro confined_use_basic_commands_macro ((type utype) (role urole)) + (optional confined_use_basic_commands_optional_2 + (roleattributeset cil_gen_require urole) + (typeattributeset cil_gen_require init_var_lib_t) + (typeattributeset cil_gen_require utype) + (typeattributeset cil_gen_require login_confinedom) + (typeattributeset cil_gen_require var_t) + (typeattributeset cil_gen_require var_lib_t) + (typeattributeset cil_gen_require init_t) + (typeattributeset cil_gen_require var_log_t) + (typeattributeset cil_gen_require syslogd_var_run_t) + (typeattributeset cil_gen_require systemd_unit_file_type) + (typeattributeset cil_gen_require systemd_systemctl_exec_t) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require cgroup_t) + (typeattributeset cil_gen_require tmpfs_t) + (typeattributeset cil_gen_require sysfs_t) + (typeattributeset cil_gen_require efivarfs_t) + (typeattributeset cil_gen_require init_var_run_t) + (typeattributeset cil_gen_require var_run_t) + (typeattributeset cil_gen_require systemd_logind_var_run_t) + (typeattributeset cil_gen_require systemd_passwd_agent_t) + (typeattributeset cil_gen_require systemd_passwd_agent_exec_t) + (typeattributeset cil_gen_require systemd_passwd_var_run_t) + (allow utype utype (process (setpgid))) + (allow utype utype (system (status))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype init_var_lib_t (dir (getattr open search))) + (allow utype init_var_lib_t (file (ioctl read getattr map open))) + (allow utype init_t (process (signal))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_log_t (dir (ioctl read getattr lock open search))) + (allow utype var_log_t (file (map))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype var_log_t (file (ioctl read getattr lock open))) + (allow utype var_log_t (dir (getattr open search))) + (allow utype var_log_t (lnk_file (read getattr))) + (allow utype syslogd_var_run_t (dir (getattr open search))) + (allow utype syslogd_var_run_t (file (ioctl read getattr lock open map))) + (allow utype syslogd_var_run_t (dir (getattr open search))) + (allow utype syslogd_var_run_t (dir (ioctl read getattr lock open search))) + ;corecmd_bin_entry_type(utype) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (file (entrypoint))) + (allow utype bin_t (file (ioctl read getattr lock map execute open))) + (allow utype usr_t (file (entrypoint))) + (allow utype usr_t (file (ioctl read getattr lock map execute open))) + (allow utype systemd_systemctl_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (dir (ioctl read getattr lock open search))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (file (ioctl read getattr lock open))) + (allow utype cgroup_t (dir (getattr open search))) + (allow utype cgroup_t (lnk_file (read getattr))) + (allow utype tmpfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype sysfs_t (dir (getattr open search))) + (allow utype efivarfs_t (dir (getattr open search))) + (allow utype efivarfs_t (file (ioctl read getattr lock open))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_lib_t (dir (getattr open search))) + (allow utype systemd_unit_file_type (dir (ioctl read getattr lock open search))) + (allow utype init_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype init_t (dir (getattr open search))) + (allow utype init_t (file (ioctl read getattr lock open))) + (allow utype init_t (lnk_file (read getattr))) + (allow utype init_t (unix_stream_socket (sendto))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype init_var_run_t (sock_file (write getattr append open))) + (allow utype init_t (unix_stream_socket (connectto))) + (allow utype init_t (unix_stream_socket (getattr))) + (dontaudit utype self (process (setrlimit))) + (dontaudit utype self (capability (sys_resource))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (ioctl read getattr lock open search))) + (allow utype var_t (lnk_file (read getattr))) + (allow utype var_run_t (lnk_file (read getattr))) + (allow utype var_t (dir (getattr open search))) + (allow utype var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (dir (getattr open search))) + (allow utype systemd_logind_var_run_t (file (ioctl read getattr lock open))) + (allow utype systemd_passwd_agent_exec_t (file (ioctl read getattr lock map execute open execute_no_trans))) + (allow utype init_var_run_t (dir (getattr open search))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (file (ioctl read write create getattr setattr lock append unlink link rename open watch watch_reads))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (sock_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow utype systemd_passwd_var_run_t (dir (ioctl read write getattr lock open add_name remove_name search))) + (allow utype systemd_passwd_var_run_t (fifo_file (ioctl read write create getattr setattr lock append unlink link rename open))) + (allow systemd_passwd_agent_t utype (process (signull))) + (allow systemd_passwd_agent_t utype (unix_dgram_socket (sendto))) + (dontaudit utype self (capability (net_admin sys_ptrace))) + (allow utype systemd_unit_file_type (service (status))) + (optional confined_use_basic_commands_optional_3 + (typeattributeset cil_gen_require adjtime_t) + (typeattributeset cil_gen_require etc_t) + (allow utype etc_t (dir (ioctl read getattr lock open search))) + (allow utype adjtime_t (file (ioctl read getattr lock open))) + ) + (optional confined_use_basic_commands_optional_4 + (typeattributeset cil_gen_require mandb_cache_t) + (allow utype mandb_cache_t (file (map))) + ) + (optional confined_use_basic_commands_optional_5 + (roleattributeset cil_gen_require passwd_roles) + (typeattributeset cil_gen_require bin_t) + (typeattributeset cil_gen_require passwd_t) + (typeattributeset cil_gen_require passwd_exec_t) + (roleattributeset cil_gen_require passwd_roles) + (roleattributeset passwd_roles (urole )) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (lnk_file (read getattr))) + (allow utype bin_t (dir (getattr open search))) + (allow utype bin_t (dir (getattr open search))) + (allow utype passwd_exec_t (file (ioctl read getattr map execute open))) + (allow utype passwd_t (process (transition))) + (typetransition utype passwd_exec_t process passwd_t) + (allow passwd_t utype (fd (use))) + (allow passwd_t utype (fifo_file (ioctl read write getattr lock append))) + (allow passwd_t utype (process (sigchld))) + ) + ) +) + +;(call confinedom_admin_commands_macro (u_t u_r u_sudo_t)) +;(call confinedom_graphical_login_macro (u_t u_r u_dbus_t)) +;(call confinedom_mozilla_usage_macro (u_t u_r)) +;(call confinedom_networking_macro (u_t u_r)) +;(call confinedom_security_advanced_macro (u_t u_r u_sudo_t u_userhelper_t)) +;(call confinedom_security_basic_macro (u_t u_r)) +;(call confinedom_sudo_macro (u_t u_r u_sudo_t u_sudo_tmp_t)) +;(call confinedom_user_login_macro (u_t u_r u_gkeyringd_t u_dbus_t u_exec_content)) +;(call confined_ssh_connect_macro (u_t u_r u_ssh_agent_t)) +;(call confined_use_basic_commands_macro (u_t u_r)) -- 2.41.0