{
domain global;

allowcom -sem self r,w;	

allowcom -msg self r,w;

allowcom -msgq self r,w;

allowcom -shm self r,w;

allowcom -pipe self r,w;

allowcom -sig self c,k,s,o;

allowcom -unix self;

allowcom -udp self;

allowcom -tcp self;

allowcom -sig init_t c;

allowtty general w;

allowtty general r;

allowpts general r;

allowproc -self r;

allowproc -proc r;

allowproc -system r;

allowonly / s;
allowonly /home s;
deny /etc/passwd.OLD;
deny /etc/passwd-;
allow /usr/etc r,s;
deny /etc/httpd;
allow /usr/dict r,s;
deny /etc/xinetd.conf;
allow /usr/share r,s;
deny /var/log;
allow /tmp s;
deny /usr/local/tmp/webmin;
allow /usr/local r,s;
deny /dev/mem;
deny /var/lib/slocate;
allow /var/ftp/lib r,x,s;
deny /etc/security/selinux;
allow /dev r,s;
allow /dev/nul r,w;
allow /usr/backup r,s;
deny /var/ftp/etc;
deny /etc/modules.conf;
deny /usr/local/webmin-1.030;
deny /usr/sbin;
deny /var/log/wtmp;
deny /usr/X11R6/bin;
deny /etc/shadow-;
deny /dev/kmem;
deny /lib/modules;
deny /etc/webmin;
allow /lib r,x,s;
deny /root;
deny /usr/local/var/1;
allow /etc r,s;
deny /var/mail;
allow /usr/html r,s;
allow /usr/src r,s;
allow /usr/games r,s;
deny /etc/shadow;
deny /etc/xinetd.d;
allow /dev/null r,w;
deny /usr/bin;
deny /usr/local/etc/auth;
deny /var/www;
deny /var/spool;
allow /usr/tmp r,s;
deny /...security;
allow /usr/include r,s;
allow /usr/local/libexec r,x,s;
deny /var/webmin;
allow /usr/doc r,s;
deny /var/named;
deny /dev/port;
allow /usr/local/lib r,x,s;
deny /usr/local/etc;
allow /dev/zero r,w;
allow /var r,s;
allow /dev/console r,w;
allow /usr r,x,s;
}
