{
domain global;

allowcom -sem self r,w;	

allowcom -msg self r,w;

allowcom -msgq self r,w;

allowcom -shm self r,w;

allowcom -pipe self r,w;

allowcom -sig self c,k,s,o;

allowcom -unix self;

allowcom -udp self;

allowcom -tcp self;

allowcom -sig init_t c;

allowtty general w;

allowtty general r;

allowpts general r;

allowproc -self r;

allowproc -proc r;

allowproc -system r;

allowonly / s;

allowonly /home s;

deny /etc/passwd.OLD;

deny /etc/passwd-;

allow /usr/etc r,s;

deny /etc/httpd;

allow /usr/dict r,s;

deny /etc/xinetd.conf;

allow /usr/share r,s;

deny /var/log;

allow /tmp s;

deny /usr/local/tmp/webmin;

allow /usr/local r,s;

deny /dev/mem;

deny /var/lib/slocate;

allow /var/ftp/lib r,x,s;

deny /etc/security/selinux;

allow /dev r,s;

allow /dev/nul r,w;

allow /usr/backup r,s;

deny /var/ftp/etc;

deny /etc/modules.conf;

deny /usr/libexec/webmin-1.140;

deny /usr/sbin;

deny /var/log/wtmp;

deny /usr/X11R6/bin;

deny /etc/shadow-;

deny /dev/kmem;

deny /lib/modules;

deny /etc/webmin;

allow /lib r,x,s;

deny /root;

deny /usr/local/var/1;

allow /etc r,s;

deny /var/mail;

allow /usr/html r,s;

allow /usr/src r,s;

allow /usr/games r,s;

deny /etc/shadow;

deny /etc/xinetd.d;

allow /dev/null r,w;

deny /usr/bin;

deny /usr/local/etc/auth;

deny /var/www;

deny /var/spool;

allow /usr/tmp r,s;

deny /...security;

allow /usr/include r,s;

allow /usr/local/libexec r,x,s;

deny /var/webmin;

allow /usr/doc r,s;

deny /var/named;

deny /dev/port;

allow /usr/local/lib r,x,s;

deny /usr/local/etc;

allow /dev/zero r,w;

allow /var r,s;

allow /dev/console r,w;

allow /usr r,x,s;

}
{
#comment:Domain for system cron(Anacron) process

domain anacron_t;

domain_trans initrc_t /usr/sbin/anacron;

allowcom -unix syslogd_t;

allow /etc/cron.hourly r,x,s;

allow /var/log/rpmpkgs r,w,s;

allow /sbin s;

allow /bin r,x,s;

allow /var/log s;

allow /var/spool/anacron r,w,s;

allow /usr/bin r,x,s;

allow /var/www s;

allow /var/spool s;

allow /etc/cron.daily r,x,s;

allow /var/cache/man/whatis r,w,s;

allow /etc/cron.weekly r,x,s;

allow /usr/sbin r,x,s;

allow /etc/cron.d r,x,s;

allow /var/lock r,w,s;

allow /etc/cron.monthly r,x,s;

allow /var/www/html/usage r,w,s;

allow /dev/console r,w,s;

allow /tmp exclusive anacron_tmp_t;

allow anacron_tmp_t r,w,s;

allow etc_runtime r,s;

allow rpm_log_t r,w,s;

allow dev_log_t r,w,s;

allow /var/log exclusive cron_log_t;

}
{
domain getty_t;

domain_trans init_t /sbin/mingetty;

allowtty general r,w;

allowtty global r,w;

allow /var/log/wtmp r,w,s;

allow /var/run/utmp r,w,s;

allow /bin s;

allow /var/log s;

allow initrc_var_run_t r,w,s;

}
{
#comment:Apache

domain httpd_t;

domain_trans webmaster_r /usr/sbin/httpd;

domain_trans initrc_t /usr/sbin/httpd;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowpts sysadm_r w;

allowpts sysadm_r r;

allowtmpfs -create;

allowtmpfs httpd_t w;

allowtmpfs httpd_t r;

allownet;

allownet -wellknown;

allownet -tcp -port 80;

allownet -tcp -port 443;

allownet -udp -port 80;

allownet -udp -port 443;

allowcom -sig getty_t c;

allowcom -unix syslogd_t;

allow /var/log/httpd r,w,s;
allow /usr/local/bin r,x,s;
allow /home r,s;
allow /etc/passwd r,s;
allow /usr/sbin r,x,s;
allow /var/www/cgi-bin r,x,s;
allow /var/www r,s;
allow /var s;
allow /var/run r,w,s;
allow /etc/httpd r,s;
allow /etc/krb5.conf r,w,s;
allow /usr/local/sbin r,x,s;
allow /var/log s;
allow /var/run exclusive httpd_var_run_t;
allow httpd_var_run_t r,w,s;
allow /tmp exclusive httpd_tmp_t;
allow httpd_tmp_t r,w,s;
allow etc_runtime r,s;
}
{
#comment:Domain for init program

domain init_t;

domain_trans kernel_t /sbin/init;

allowcom -unix syslogd_t;

allowcom -sig global c,k,s,o;

allowtty global r,w;

allownet;

allowadm boot;

allow /var/log/wtmp r,w,s;

allow /usr/sbin r,x,s;

allow /usr/bin r,x,s;

allow /etc r,w,s;

allow /etc/rc.d r,x,s;

allow /var/run r,w,s;

allow /dev r,w,s;

allow /...security r,s;

allow /etc/security/selinux r,s;

allow /sbin r,x,s;

allow /bin r,x,s;

allow /var/log s;

allow /tmp r,w,s;

allow initrc_var_run_t r,w,s;

allow /etc exclusive etc_runtime;

allow etc_runtime r,w,s;

allow dev_log_t r,w,s;

}
{
#Template:use_all_commands_template

#comment:Domain for init scripts

domain initrc_t;

domain_trans init_t /etc/rc.d/rc;

domain_trans init_t /etc/rc.d/rc.sysinit;

domain_trans init_t /etc/rc.d/rc.local;

domain_trans run_init_t /etc/rc.d/init.d;

#allow /usr/libexec/webmin-1.140/miniserv.pl r,x,s;

#allow /usr/X11R6/bin r,x,s;

allowcom -unix syslogd_t;

allowproc -system r,w;

allowproc -other r;

allowcom -sig global c,k,s,o;

allowtty global w;

allowtty global r;

allowpts global w;

allowpts global r;

allowadm boot;

allowadm mount;

allowadm swapon;

allowadm part_relabel;

allowadm net;

allownet;

allownet -raw;

allownet -wellknown;

allownet -tcp -port 68;

allownet -udp -port 68;

allowonly / r,w,s;
allow /etc/webmin s;
allow /var/log/wtmp r,w,s;
allow /etc/webmin/stop r,x,s;
allow /bin r,x,s;
allow /usr/local/bin r,x,s;
allow /usr/X11R6/bin r,x,s;
allow /usr/sbin r,x,s;
allow /etc/passwd r,s;
allow /dev/kmem r,s;
allow /var/run r,w,s;
allow /etc/adjtime r,w,s;
allow /lib/modules r,s;
allow /dev/mem r,s;
allow /var/lock/subsys r,w,s;
allow /etc/lvm r,w,x,s;
allow /usr/local/sbin r,x,s;
allow /etc/webmin/miniserv.conf r,s;
allow /var/lib r,w,s;
allow /dev/port r,s;
allow /var/webmin r,s;
allow /etc/resolv.conf r,w,x,s;
allow /bin/bash r,x;
allow /var/lock r,w,s;
allow /etc/xinetd.conf r,s;
allow /etc/webmin/start r,x,s;
allow /mnt r,s;
allow /bin/sh r,x;
allow /var/lib/rpm r,w,s;
allow /bin/tcsh r,x;
allow /var/log r,w,s;
allow /usr/local/selinux/bin r,x,s;
allow /dev r,w,s;
allow /etc/security/selinux r,s;
allow /etc r,x,s;
allow /tmp r,w,s;
allow /home r,s;
allow /root s;
allow /boot r,s;
allow /etc/modules.conf r,s;
allow /usr/libexec/webmin-1.140 s;
allow /usr/bin r,x,s;
allow /etc/httpd r,s;
allow /sbin r,x,s;
allow /usr/local/selinux/sbin r,x,s;
allow sysadm_tmp_t r,w,s;
allow rpm_tmp_t r,w,s;
allow /var/run exclusive initrc_var_run_t;
allow initrc_var_run_t r,w,s;
allow /etc exclusive etc_runtime;
allow etc_runtime r,w,s;
allow logrotate_tmp_t r,w,s;
allow xfs_var_run_t r,w,s;
allow sshd_var_run_t r,w,s;
allow syslogd_var_run_t r,w,s;
allow sendmail_tmp_t r,w,s;
allow portmap_tmp_t r,w,s;
allow xserver_tmp_t r,w,s;
allow syslogd_tmp_t r,w,s;
allow rlogin_tmp_t r,w,s;
allow httpd_var_run_t r,w,s;
allow sshd_tmp_t r,w,s;
allow dev_log_t r,w,s;
allow httpd_tmp_t r,w,s;
allow anacron_tmp_t r,w,s;
allow klogd_tmp_t r,w,s;
allow xinetd_var_run_t r,w,s;
allow xfs_tmp_t r,w,s;
allow halt_t r,w,s;
allow /var/log exclusive var_log_ksym_t;
allow var_log_ksym_t r,w,s;
allow sendmail_var_run_t r,w,s;
allow klogd_var_run_t r,w,s;
allow rpcd_tmp_t r,w,s;
}
{
#Template:use_bin_commands_template

domain kernel_t;

allownet -raw;

allow /bin r,x,s;

allow /usr/local/bin r,x,s;

allow /bin/bash r,x,s;

allow /usr/X11R6/bin r,x,s;

allow /usr/sbin r,s;

allow /bin/sh r,x,s;

allow /home/...security r,s;

allow /lib/modules r,s;

allow /var/log s;

allow /etc/hotplug.d r,x,s;

allow /usr/local/selinux/bin r,x,s;

allow /dev r,w,s;

allow /etc/security/selinux r,s;

allow /usr/local/...security r,s;

allow /etc/hotplug r,x,s;

allow /usr/bin r,x,s;

allow /...security r,s;

allow /sbin r,x,s;

allow etc_runtime r,s;

allowadm mount;
allowadm net;
}
{
domain klogd_t;

domain_trans initrc_t /sbin/klogd;

allowcom -unix syslogd_t;

allowadm raw_io;

allow /dev/mem r,s;

allow /boot r,s;

allow /dev/kmem r,s;

allow /dev/console r,w,s;

allow /var/run exclusive klogd_var_run_t;

allow dev_log_t r,w,s;

allow /tmp exclusive klogd_tmp_t;

allowproc -kmsg r;

}
{
domain login_t;

domain_trans getty_t /bin/login;

#/var/run/utmp

#syslogȤΤɬ

#桼ѤüΤɬ

allowadm getsecurity;

allowcom -unix syslogd_t;

allowtty global w;

allowtty global r;

allowtty -change general;

allowtty -change global;

allow /root r,s;

allow /var/spool/mail r,s;

allow /var/mail r,s;

allow /home r,s;

allow /etc/passwd r,s;

allow /dev/apm_bios r,w,s;

allow /dev/fd0CompaQ r,w,s;

#allow /usr/sbin/in.telnetd r,x,s;

allow /etc/shadow r,s;

allow /bin s;

allow /var/spool s;

#allow /usr/bin r,x,s;

allow /dev/mixer1 r,w,s;

allow /var/run r,w,s;

allow /var/log/wtmp r,w,s;

allow /var/log/lastlog r,w,s;

allow /dev/fd0 r,w,s;

allow /var/lock r,w,s;

allow /dev/mixer r,w,s;

allow /mnt r,s;

allow /dev/console r,w,s;

allow /var/log exclusive login_log_t;

allow login_log_t r,w,s;

allow initrc_var_run_t r,w,s;

allow dev_log_t r,w,s;

allowproc -self w;
}
{
#comment:Domain for logrotate

domain logrotate_t;

domain_trans anacron_t /usr/sbin/logrotate;

domain_trans sysadm_r /usr/sbin/logrotate;

allowproc -other r;

allowcom -sig global o;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowpts sysadm_r w;

allowpts sysadm_r r;

allow /var/log/wtmp r,w,s;

allow /var/lib/logrotate.status r,w,s;

allow /sbin s;

allow /bin r,x,s;

allow /var/log r,w,s;

allow login_log_t r,w,s;

allow etc_runtime r,s;

allow xinetd_var_run_t r,s;

allow xfs_var_run_t r,s;

allow xserver_var_log_t r,w,s;

allow rpm_log_t r,w,s;

allow cron_log_t r,w,s;

allow xinetd_var_log_t r,w,s;

allow /tmp exclusive logrotate_tmp_t;

allow logrotate_tmp_t r,w,s;

allow httpd_var_run_t r,s;

allow initrc_var_run_t r,s;

allow klogd_var_run_t r,s;

allow /var/lib exclusive logrotate_var_lib_t;

allow logrotate_var_lib_t r,w,s;

allow syslogd_var_run_t r,s;

allow var_log_ksym_t r,w,s;

}
{
#comment:

domain modutils_t;

domain_trans initrc_t /sbin/insmod;

domain_trans initrc_t /sbin/modprobe;

domain_trans initrc_t /sbin/depmod;

domain_trans kernel_t /sbin/insmod;

domain_trans kernel_t /sbin/modprobe;

allowtty sysadm_r r,w;

allowcom -unix syslogd_t;

allowcom -sig global o;

allow /var/log s;

allow /lib/modules r,s;

allow /etc/modules.conf r,s;

allow etc_runtime r,s;

allow dev_log_t r,w,s;

allowadm insmod;

allowadm mount;

allownet -raw;
}
{
#comment:

domain mount_t;

domain_trans sysadm_r /bin/mount;

domain_trans sysadm_r /bin/umount;

domain_trans initrc_t /bin/mount;

domain_trans initrc_t /bin/umount;

allowadm mount,raw_io;

allowtty global w;

allowtty global r;

allowpts global w;

allowpts global r;

allow /dev/fd0 r,w,s;

allow /dev/cdrom r,w,s;

allow /...security r,s;

allow /sbin r,s;

allow /mnt r,s;

allow /dev/console r,w,s;

allow /etc exclusive etc_runtime;

allow etc_runtime r,w,s;

}
#comment:Domain for newrole program(this domain has big privilege)
{
domain newrole_t;
domain_trans sysadm_r /usr/bin/newrole;
domain_trans webmaster_r /usr/bin/newrole;
domain_trans user_r /usr/bin/newrole;





allowadm getsecurity;

allowadm getsecurity;

allowtty global w;

allowtty global r;

allowtty -change global;

allowpts global w;

allowpts global r;

allowpts -change global;

allowcom -unix syslogd_t;

allow /var/log/wtmp r,w,s;

allow /etc/shadow r,s;

allow /bin s;

allow /dev/console r,w,s;

allow initrc_var_run_t r,w,s;

allow dev_log_t r,w,s;

allowproc -self w;
}
{
domain portmap_t;

domain_trans initrc_t /sbin/portmap;

allownet;

allownet -wellknown;

allownet -tcp -allport;

allownet -udp -allport;

allownet -tcp -port 111;

allownet -udp -port 111;

allowcom -tcp rpcd_t;

allowcom -tcp sysadm_r;

allowcom -udp rpcd_t;

allowcom -udp xinetd_t;

allow /etc/passwd r,s;

allow /tmp exclusive portmap_tmp_t;

allow portmap_tmp_t r,w,s;

}
{
#comment:

domain procmail_t;

domain_trans anacron_t /usr/bin/procmail;

domain_trans sendmail_t /usr/bin/procmail;

allownet;

allow /root s;

allow /var/spool/mail r,w,s;

}
{
#comment:

domain remote_login_t;

domain_trans rlogind_t /bin/login;

#/var/run/utmp

#syslogȤΤɬ

#桼ѤüΤɬ

allownet;

allowcom -unix syslogd_t;

allowadm getsecurity;

allowpts general w;

allowpts global w;

allowpts global r;

allowpts -change general;

allowpts -change global;

allow /root r,s;

allow /var/spool/mail r,s;

allow /var/mail r,s;

allow /home r,s;

allow /etc/passwd r,s;

allow /etc/shadow r,s;

allow /bin s;

#allow /usr/bin r,x,s;

allow /var/spool s;

allow /var/run r,w,s;

allow /var/log/wtmp r,w,s;

allow /var/log/lastlog r,w,s;

allow /var/lock r,w,s;

allow /mnt r,s;

allow initrc_var_run_t r,w,s;

allow /var/log exclusive login_log_t;

allow login_log_t r,s;

allow dev_log_t r,w,s;

}
{
domain rlogind_t;

domain_trans xinetd_t /usr/sbin/in.rlogind;

domain_trans xinetd_t /usr/sbin/in.telnetd;

allowpts global w;

allowpts -create;

allowpts global r;

allowcom -tcp xinetd_t;

allownet;

allow /var/log/wtmp r,w,s;

allow /bin r,s;

allow /var/log s;

#allow /bin/login r,x,s;

allow initrc_var_run_t r,w,s;

allow dev_log_t r,w,s;

allow /tmp exclusive rlogin_tmp_t;

allow rlogin_tmp_t r,w,x,s;

}
{
domain rpcd_t;

domain_trans initrc_t /sbin/rpc.lockd;

domain_trans initrc_t /sbin/rpc.statd;

allow /var/lib/nfs/statd r,s,w,a;

allow dev_log_t r,s,w,a;

allow /tmp exclusive rpcd_tmp_t;

allow rpcd_tmp_t r,s,w,a;

allowcom -unix syslogd_t;

allowcom -tcp portmap_t;

allowcom -udp portmap_t;

allownet;

allownet -wellknown;

allownet -tcp -allport;

allownet -udp -allport;

}
{
#comment:

domain rpm_t;

domain_trans anacron_t /bin/rpm;

allowtmpfs -create;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowpts sysadm_r w;

allowpts sysadm_r r;

allow /usr/bin r,x,s;

allow /usr/local/selinux/sbin r,x,s;

allow /usr/sbin r,x,s;

allow /usr/local/bin r,x,s;

allow /usr/local/sbin r,x,s;

allow /usr/src r,w,x,s;

allow /sbin r,x,s;

allow /bin r,x,s;

allow /usr/local/selinux/bin r,x,s;

allow /var/lib/rpm r,w,s;

allow etc_runtime r,s;

allow /var/log exclusive rpm_log_t;

allow rpm_log_t r,w,s;

allow /tmp exclusive rpm_tmp_t;

allow rpm_tmp_t r,w,s;

}
{
#comment:Domain for /usr/sbin/run_init command

domain run_init_t;

domain_trans sysadm_r /usr/sbin/run_init;

allowtty global w;

allowtty global r;

allowpts global w;

allowpts global r;

#allow /bin/sh r,x,s;

#allow /etc/rc.d/init.d r,x,s;

allow /etc/passwd r,s;

allow /etc/shadow r,s;

allow /bin s;

allow /bin/bash r,x,s;

allowproc -self w;
}
{
role secadm_r;
user root;
#comment:security administrator

domain_trans login_t /bin/bash;

domain_trans login_t /bin/sh;

allowtty secadm_r w;

allowtty -create;

allowtty secadm_r r;

allowpts secadm_r w;

allowpts -create;

allowpts secadm_r r;

allowtmpfs -create;

allowtmpfs secadm_r w;

allowtmpfs secadm_r r;

allowadm setenforce;

allowadm load_policy;

allowadm search;

allowadm getsecurity;

allowadm relabel;

allowadm getsecurity;

allowadm search;

allow /usr/bin r,x,s;

allow /root r,w,s;

allow /dev/mixer1 r,w,s;

allow /var/spool/mail r,w,s;

allow /dev/dsp r,w,s;

allow /home r,s;

allow /usr/sbin r,x,s;

allow /usr/X11R6/bin x;

allow /sbin r,x,s;

allow /bin r,x,s;

allow /usr/local/selinux/bin r,x,s;

allow /dev/console r,w,s;

allow etc_runtime r,s;

allowcom -tcp sendmail_t;

}
{
#comment:Domain for sendmail server

domain sendmail_t;

domain_trans initrc_t /usr/sbin/sendmail;

allownet;

allownet -wellknown;

allownet -tcp -port 25;

allowcom -unix syslogd_t;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowpts sysadm_r w;

allowpts sysadm_r r;

allow /var/spool s;

allow /usr/bin s;

allow /usr/local s;

allow /var/spool/mqueue r,w,s;

allow /var/spool/mail r,w,s;

allow /etc/mail r,w,s;

allow /usr/bin/procmail r,x,s;

allow /etc/aliases.db r,w,s;

allow /dev/console r,w,s;

allow /etc/aliases r,w,s;

allow initrc_var_run_t r,w,s;

allow /tmp exclusive sendmail_tmp_t;

allow sendmail_tmp_t r,w,s;

allow /var/log exclusive sendmail_var_log_t;

allow sendmail_var_log_t r,w,s;

allow etc_runtime r,s;

allow /var/run exclusive sendmail_var_run_t;

allow sendmail_var_run_t r,w,s;

allow dev_log_t r,w,s;

}
{
#comment:slocate,locate,updatedb

domain slocate_t;

domain_trans anacron_t /usr/bin/locate;

domain_trans anacron_t /usr/bin/slocate;

domain_trans anacron_t /usr/bin/updatedb;

allow /etc/httpd s;

allow /etc/xinetd.conf s;

allow /etc/shadow s;

allow /etc/xinetd.d s;

allow /var/log s;

allow /usr/bin s;

allow / s;

allow /var/www s;

allow /var/lib/slocate r,w,s;

allow /...security s;

allow /etc/security/selinux s;

allow /var/webmin s;

allow /etc/modules.conf s;

allow /var/log/wtmp s;

allow /usr/libexec/webmin-1.140 s;

allow /usr/local/etc s;

allow /etc/webmin s;

allow etc_runtime r,s;

allowadm search;

}
{
#comment:Domain for spasswd command

domain spasswd_t;

domain_trans sysadm_r /usr/local/selinux/bin/spasswd;

domain_trans sysadm_r /usr/local/selinux/bin/sadminpasswd;

allowtty global w;

allowtty global r;

allowpts global w;

allowpts global r;

allowadm part_relabel;

allowonly /etc r,w,s;

allowonly /etc/security r,s;

allow /etc/pam.d r,s;

allow /usr/bin s;

allow /usr/bin/passwd r,x,s;

allow /etc/shadow- r,w,s;

allow /etc/passwd- r,w,s;

allow /etc/shadow r,w,s;

allow /dev/console r,w,s;

allow dev_log_t r,w,s;

allowcom -unix syslogd_t;

}
{
#comment:

domain sshd_login_t;

domain_trans sshd_t /bin/login;

allowpts general w;

allowpts global w;

allowpts -create;

allowpts global r;

allowpts -change general;

allowpts -change global;

allow /var/spool s;

allow /etc/passwd r,s;

allow /var/spool/mail r,s;

allow /var/mail r,s;

}
{
#comment:

domain sshd_t;

domain_trans initrc_t /usr/sbin/sshd;

allownet;

allownet -wellknown;

allownet -tcp -port 22;

allowcom -unix syslogd_t;

allowpts global w;

allowpts -create;

allowpts global r;

allowpts -change general;

allowpts -change global;

allowadm chroot;

allowadm getsecurity;

allow /root s;

allow /root/.default_contexts r,s;

#allow /bin/bash r,x,s;

#allow /bin/sh r,x,s;

allow /etc/passwd r,s;

allow /etc/shadow r,s;

allow /bin s;

allow /var/log s;

allow /var/log/wtmp r,w,s;

allow /var/log/lastlog r,w,s;

allow /home/ynakam/.default_contexts r,s;

allow /dev/console r,w,s;

allow initrc_var_run_t r,w,s;

allow /tmp exclusive sshd_tmp_t;

allow sshd_tmp_t r,w,s;

allow /var/run exclusive sshd_var_run_t;

allow sshd_var_run_t r,w,s;

allow dev_log_t r,w,s;

allowproc -self w;
}
{
#comment:

domain sysadm_ftp_t;

domain_trans sysadm_r /usr/bin/ftp;

allownet;

allowtty global w;

allowtty global r;

allowpts global w;

allowpts global r;

allow /root r,w,s;

allow initrc_var_run_t r,w,s;

}
{
role sysadm_r;
user root;
#comment:system administrator

domain_trans newrole_t /bin/sh;

domain_trans newrole_t /bin/bash;

domain_trans login_t /bin/bash;

domain_trans login_t /bin/sh;

allowtty sysadm_r w;

allowtty -create;

allowtty sysadm_r r;

allowpts sysadm_r w;

allowpts -create;

allowpts sysadm_r r;

allowproc -other r;

allowtmpfs -create;

allowtmpfs xserver_t w;

allowtmpfs sysadm_r w;

allowtmpfs xserver_t r;

allowtmpfs sysadm_r r;

allownet;

allownet -raw;

allownet -wellknown;

allownet -tcp -allport;

allowadm swapon;

allowadm unlabel;

allowadm net;

allowadm boot;

allowadm ptrace;

allowadm insmod;

allowadm search;

allowadm quotaon;

allow /var/webmin/miniserv.pid r,s;

allow /sbin r,x,s;

allow /etc/X11 r,w,x,s;

allow /bin r,x,s;

allow /tmp r,s;

allow /dev/mixer1 r,w,s;

allow /usr/local/selinux/sbin r,x,s;

allow /usr/sbin r,x,s;

allow /usr/X11R6/bin r,x,s;

allow /usr/libexec/webmin-1.140 s;

allow /tmp/ksocket-root r,w,s;

allow /tmp/.ICE-unix r,w,s;

allow /etc/webmin s;

allow /lib/modules r,s;

allow /tmp/.X11-unix r,w,s;

allow /etc r,w,s;

allow /root r,w,s;

allow /dev/initctl r,w,s;

allow /var/spool/mail r,w,s;

allow /etc/webmin/miniserv.conf r,s;

allow /home r,s;

allow /etc/passwd r,s;

allow /tmp/kde-root r,w,s;

allow /etc/xinetd.d r,w,s;

allow /usr/bin r,x,s;

allow /var/run r,w,s;

allow /dev/dsp r,w,s;

allow /etc/webmin/stop r,x,s;

allow /home/ynakam s;

allow /var/lock r,w,s;

allow /etc/webmin/start r,x,s;

allow /dev/mixer r,w,s;

allow /dev/zero r,w,x,s;

allow /usr/local/selinux/bin r,x,s;

allow /dev/console r,w,s;

allow httpd_var_run_t r,s;

allow initrc_var_run_t r,w,s;

allow etc_runtime r,s;

allow xserver_tmp_t r,w,s;

allow dev_log_t r,w,s;

allow /tmp exclusive sysadm_tmp_t;

allow sysadm_tmp_t r,w,s;

allow / exclusive halt_t;

allow halt_t r,w,s;

allowcom -unix xserver_t;

allowcom -unix syslogd_t;

allowcom -tcp portmap_t;

allowcom -tcp sendmail_t;

allowcom -sig global o;

allowcom -shm xserver_t r,w;

allowcom -sig global s;

allowcom -sig global k;

allowcom -sig global c;

}
{
domain syslogd_t;

domain_trans initrc_t /sbin/syslogd;

domain_trans initrc_t /sbin/minilogd;

allowcom -unix xinetd_t;

allowcom -unix login_t;

allow /usr/libexec/webmin-1.140/selinux/policy r,w,s;

allow /usr/libexec/webmin-1.140/selinux/template r,s;

allow /var/log r,w,s;

allow xinetd_var_log_t r,w,s;

allow login_log_t r,w,s;

allow /var/run exclusive syslogd_var_run_t;

allow syslogd_var_run_t r,w,s;

allow xserver_var_log_t r,w,s;

allow var_log_ksym_t r,w,s;

allow rpm_log_t r,w,s;

allow /dev exclusive dev_log_t;

allow dev_log_t r,w,s;

allow cron_log_t r,w,s;

allow /tmp exclusive syslogd_tmp_t;

allow syslogd_tmp_t r,w,s;

}
{
#comment:

domain tmpreaper_t;

domain_trans initrc_t /usr/sbin/tmpwatch;

domain_trans anacron_t /usr/sbin/tmpwatch;

allow /var/tmp r,w,s;

allow /var/cache/man r,w,s;

allow /tmp r,w,s;

allow xserver_tmp_t r,w,s;

allow klogd_tmp_t r,w,s;

allow sysadm_tmp_t r,w,s;

allow rlogin_tmp_t r,w,s;

allow syslogd_tmp_t r,w,s;

allow logrotate_tmp_t r,w,s;

allow httpd_tmp_t r,w,s;

allow sshd_tmp_t r,w,s;

allow rpcd_tmp_t r,w,s;

allow xfs_tmp_t r,w,s;

allow portmap_tmp_t r,w,s;

allow rpm_tmp_t r,w,s;

}
{
role user_r;
user ynakam;
user root;
#comment:Normal User 

domain_trans sshd_t /bin/bash;

domain_trans sshd_t /bin/sh;

domain_trans newrole_t /bin/bash;

domain_trans newrole_t /bin/sh;

domain_trans login_t /bin/bash;

domain_trans login_t /bin/sh;

domain_trans remote_login_t /bin/sh;

domain_trans remote_login_t /bin/bash;

allowtty user_r w;

allowtty -create;

allowtty user_r r;

allowpts user_r w;

allowpts -create;

allowpts user_r r;

allow /var/spool s;

allow /usr/bin r,x,s;

allow /var/spool/mail r,s;

allow /home r,w,x,s;

allow /usr/local/selinux/sbin r,x,s;

allow /usr/sbin r,x,s;

allow /etc/passwd r,s;

allow /sbin r,x,s;

allow /bin r,x,s;

allow /usr/local/selinux/bin r,x,s;

allow etc_runtime r,s;

}
{
#comment:This is nessesary for startx

domain utempter_t;

domain_trans sysadm_r /usr/sbin/utempter;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowpts general w;

allowpts sysadm_r w;

allowpts sysadm_r r;

allow /var/log/wtmp r,w,s;

allow /var/run/utmp r,w,s;

allow /var/log r,w,s;

allow xinetd_var_log_t r,w,s;

allow login_log_t r,w,s;

allow initrc_var_run_t r,w,s;

allow xserver_var_log_t r,w,s;

allow var_log_ksym_t r,w,s;

allow cron_log_t r,w,s;

allow rpm_log_t r,w,s;

}
{
role webmaster_r;
user root;
#comment:Web administrator

domain_trans login_t /bin/bash;

domain_trans login_t /bin/sh;

domain_trans newrole_t /bin/sh;

domain_trans newrole_t /bin/bash;

allowcom -sig httpd_t s;

allowcom -sig httpd_t k;

allowcom -sig httpd_t c;

allowtty webmaster_r w;

allowtty -create;

allowtty webmaster_r r;

allowpts webmaster_r w;

allowpts -create;

allowpts webmaster_r r;

allow /etc/rc.d r,x,s;

allow /root r,w,s;

allow /var/spool/mail r,w,s;

allow /var/mail s;

allow /etc/httpd r,w,s;

allow /var/log/httpd r,w,s;

allow /etc/passwd r,s;

allow /sbin r,x,s;

allow /bin r,x,s;

allow /var/spool s;

allow /var/www r,w,s;

allow /usr/bin r,x,s;

allow /usr/local/selinux/sbin r,x,s;

allow /usr/sbin r,x,s;

allow /usr/X11R6/bin s;

allow /usr/local/selinux/bin r,x,s;

allow etc_runtime r,s;

}
{
#comment:

domain webmin_t;

domain_trans initrc_t /usr/libexec/webmin/miniserv.pl;

allownet;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowpts sysadm_r w;

allowpts sysadm_r r;

allowcom -unix syslogd_t;

allowadm load_policy;

allowadm search;

allowadm getsecurity;

allowadm relabel;

allowadm getsecurity;

allowadm search;

allow /etc/webmin r,w,s;
allow /usr/libexec/webmin/selinux/policy r,w,s;
allow /bin r,x,s;
allow /var/webmin r,w,s;
allow /etc/passwd r,s;
allow /usr/sbin r,x,s;
allow /usr/libexec/webmin r,x,s;
allow /root/.default_contexts r,w,s;
allow /usr/local/selinux/converter r,x,s;
allow /usr/local/selinux/converter/exc_label.tmp r,w,s;
allow /home/ynakam/.default_contexts r,w,s;
allow /usr/local/selinux/bin r,x,s;
allow /home/ynakam/policyedit/converter r,x,s;
allow /etc/security/selinux r,w,s;
allow /root s;
allow /home s;
allow /dev/console r,w,s;
allow /usr/bin r,x,s;
allow /etc/shadow r,s;
allow /home/ynakam/policyedit/converter/exc_label.tmp r,w,x,s;
allow /etc/security r,w,s;
allow /sbin r,s;
allow /home/webmaster/.default_contexts r,w,s;
allow /usr/libexec/webmin/selinux/template r,w,x,s;
allow etc_runtime r,s;
allow dev_log_t r,w,s;
}
{
domain xfs_t;

domain_trans initrc_t /usr/X11R6/bin/xfs;

allowcom -unix syslogd_t;

allow /usr/X11R6/lib r,x,s;

allow etc_runtime r,s;

allow /var/run exclusive xfs_var_run_t;

allow xfs_var_run_t r,w,s;

allow dev_log_t r,w,s;

allow /tmp exclusive xfs_tmp_t;

allow xfs_tmp_t r,w,s;

}
{
domain xinetd_t;

domain_trans initrc_t /usr/sbin/xinetd;

allowcom -unix syslogd_t;

allowcom -udp portmap_t;

allownet;

allownet -wellknown;

allownet -tcp -allport;

allownet -udp -allport;

allownet -tcp -port 23;

allow /usr/bin s;

allow /var/run r,w,s;

allow /usr/sbin s;

allow /etc/passwd r,s;

allow /etc/xinetd.conf r,s;

deny /home/ynakam;

allow /etc/xinetd.d r,s;

allow /var/log exclusive xinetd_var_log_t;

allow xinetd_var_log_t r,w,s;

allow /var/run exclusive xinetd_var_run_t;

allow xinetd_var_run_t r,w,s;

allow dev_log_t r,w,s;

}
{
#comment:Domain for sysadm_r's xserver executed by startx 

domain xserver_t;

domain_trans sysadm_r /usr/X11R6/bin/Xwrapper;

domain_trans sysadm_r /usr/X11R6/bin/X;

domain_trans sysadm_r /usr/X11R6/bin/XFree86;

allowadm raw_io;

allowtty sysadm_r w;

allowtty sysadm_r r;

allowcom -unix xfs_t;

allowcom -unix sysadm_r;

allowcom -sig sysadm_r o;

allowcom -shm sysadm_r r,w;

allowproc -proc w;

allowproc -system w;

allowtmpfs -create;

allowtmpfs general w;

allowtmpfs sysadm_r w;

allowtmpfs general r;

allowtmpfs sysadm_r r;

allownet;

allow /tmp/.X11-unix r,w,s;

allow /root r,s;

allow /var/log/XFree86.0.log r,w,s;

allow /dev/apm_bios r,w,s;

allow /etc/X11 r,x,s;

allow /sbin r,x,s;

allow /dev/dri r,w,s;

allow /dev/agpgart r,w,s;

allow /bin r,x,s;

allow /dev/mem r,w,x,s;

allow /usr/bin r,x,s;

allow /dev/psaux r,w,s;

allow /usr/sbin r,x,s;

allow /usr/X11R6/bin r,x,s;

allow /dev/mouse r,w,s;

allow /var/lib/xkb r,w,s;

allow /usr/local/selinux/bin r,s;

allow etc_runtime r,s;

allow /var/log exclusive xserver_var_log_t;

allow xserver_var_log_t r,w,s;

allow /tmp exclusive xserver_tmp_t;

allow xserver_tmp_t r,w,s;

allow xfs_tmp_t r,w,s;

}
