# Distro-specific customizations. # Comment out all but the one that matches your distro. # The policy .te files can then wrap distro-specific customizations with # appropriate ifdefs. # # This file describes the security contexts to be applied to files # when the security policy is installed. The setfiles program # reads this file and labels files accordingly. # # Each specification has the form: # regexp [ -type ] ( context | <> ) # # By default, the regexp is an anchored match on both ends (i.e. a # caret (^) is prepended and a dollar sign ($) is appended automatically). # This default may be overridden by using .* at the beginning and/or # end of the regular expression. # # The optional type field specifies the file type as shown in the mode # field by ls, e.g. use -d to match only directories or -- to match only # regular files. # # The value of < may be used to indicate that matching files # should not be relabeled. # # The last matching specification is used. # # If there are multiple hard links to a file that match # different specifications and those specifications indicate # different security contexts, then a warning is displayed # but the file is still labeled based on the last matching # specification other than <>. # # Some of the files listed here get re-created during boot and therefore # need type transition rules to retain the correct type. These files are # listed here anyway so that if the setfiles program is used on a running # system it does not relabel them to something we do not want. An example of # this is /var/run/utmp. # # # The security context for all files not otherwise specified. # /.* system_u:object_r:default_t # # The root directory. # / -d system_u:object_r:root_t # # Ordinary user home directories. # HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd # HOME_DIR expands to each user's home directory, # and to HOME_ROOT/[^/]+ for each HOME_ROOT. # ROLE expands to each user's role when role != user_r, and to "user" otherwise. # /home -d system_u:object_r:home_root_t /home/[^/]+ -d system_u:object_r:user_home_dir_t /home/[^/]+/.+ system_u:object_r:user_home_t # # Mount points; do not relabel subdirectories, since # we don't want to change any removable media by default. /mnt(/[^/]*)? -d system_u:object_r:mnt_t /mnt/[^/]*/.* <> /media(/[^/]*)? -d system_u:object_r:mnt_t /media/[^/]*/.* <> # # /var # /var(/.*)? system_u:object_r:var_t /var/catman(/.*)? system_u:object_r:catman_t /var/cache/man(/.*)? system_u:object_r:catman_t /var/yp(/.*)? system_u:object_r:var_yp_t /var/lib(/.*)? system_u:object_r:var_lib_t /var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t /var/lib/texmf(/.*)? system_u:object_r:tetex_data_t /var/cache/fonts(/.*)? system_u:object_r:tetex_data_t /var/lock(/.*)? system_u:object_r:var_lock_t /var/tmp -d system_u:object_r:tmp_t /var/tmp/.* <> /var/tmp/vi\.recover -d system_u:object_r:tmp_t /var/lib/nfs/rpc_pipefs(/*)? <> /var/mailman/bin(/.*)? system_u:object_r:bin_t /var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t # # /var/ftp # /var/ftp/bin(/.*)? system_u:object_r:bin_t /var/ftp/bin/ls -- system_u:object_r:ls_exec_t /var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /var/ftp/etc(/.*)? system_u:object_r:etc_t # # /bin # /bin(/.*)? system_u:object_r:bin_t /bin/tcsh -- system_u:object_r:shell_exec_t /bin/bash -- system_u:object_r:shell_exec_t /bin/bash2 -- system_u:object_r:shell_exec_t /bin/sash -- system_u:object_r:shell_exec_t /bin/d?ash -- system_u:object_r:shell_exec_t /bin/zsh.* -- system_u:object_r:shell_exec_t /usr/sbin/sesh -- system_u:object_r:shell_exec_t /bin/ls -- system_u:object_r:ls_exec_t # # /boot # /boot(/.*)? system_u:object_r:boot_t /boot/System\.map-.* -- system_u:object_r:system_map_t /boot/kernel\.h.* -- system_u:object_r:boot_runtime_t # # /dev # /u?dev(/.*)? system_u:object_r:device_t /u?dev/pts(/.*)? <> /u?dev/cpu/.* -c system_u:object_r:cpu_device_t /u?dev/microcode -c system_u:object_r:cpu_device_t /u?dev/MAKEDEV -- system_u:object_r:sbin_t /u?dev/null -c system_u:object_r:null_device_t /u?dev/full -c system_u:object_r:null_device_t /u?dev/zero -c system_u:object_r:zero_device_t /u?dev/console -c system_u:object_r:console_device_t /u?dev/(kmem|mem|port) -c system_u:object_r:memory_device_t /u?dev/nvram -c system_u:object_r:memory_device_t /u?dev/random -c system_u:object_r:random_device_t /u?dev/urandom -c system_u:object_r:urandom_device_t /u?dev/capi.* -c system_u:object_r:tty_device_t /u?dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t /u?dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t /u?dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t /u?dev/isdn.* -c system_u:object_r:tty_device_t /u?dev/.*tty[^/]* -c system_u:object_r:tty_device_t /u?dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t /u?dev/cu.* -c system_u:object_r:tty_device_t /u?dev/vcs[^/]* -c system_u:object_r:tty_device_t /u?dev/ip2[^/]* -c system_u:object_r:tty_device_t /u?dev/tty -c system_u:object_r:devtty_t /dev/lp.* -c system_u:object_r:printer_device_t /dev/par.* -c system_u:object_r:printer_device_t /dev/usb/lp.* -c system_u:object_r:printer_device_t /dev/usblp.* -c system_u:object_r:printer_device_t /dev/root -b system_u:object_r:fixed_disk_device_t /u?dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t /u?dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t /u?dev/rd.* -b system_u:object_r:fixed_disk_device_t /u?dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t /u?dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t /u?dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t /u?dev/loop.* -b system_u:object_r:fixed_disk_device_t /u?dev/net/.* -c system_u:object_r:tun_tap_device_t /u?dev/ram.* -b system_u:object_r:fixed_disk_device_t /u?dev/rawctl -c system_u:object_r:fixed_disk_device_t /u?dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t /u?dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t /u?dev/initrd -b system_u:object_r:fixed_disk_device_t /u?dev/jsfd -b system_u:object_r:fixed_disk_device_t /u?dev/js.* -c system_u:object_r:mouse_device_t /u?dev/jsflash -c system_u:object_r:fixed_disk_device_t /u?dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t /u?dev/usb/rio500 -c system_u:object_r:removable_device_t /u?dev/fd[^/]+ -b system_u:object_r:removable_device_t # I think a parallel port disk is a removable device... /u?dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t /u?dev/p[fg][0-3] -b system_u:object_r:removable_device_t /u?dev/aztcd -b system_u:object_r:removable_device_t /u?dev/bpcd -b system_u:object_r:removable_device_t /u?dev/gscd -b system_u:object_r:removable_device_t /u?dev/hitcd -b system_u:object_r:removable_device_t /u?dev/pcd[0-3] -b system_u:object_r:removable_device_t /u?dev/mcdx? -b system_u:object_r:removable_device_t /u?dev/cdu.* -b system_u:object_r:removable_device_t /u?dev/cm20.* -b system_u:object_r:removable_device_t /u?dev/optcd -b system_u:object_r:removable_device_t /u?dev/sbpcd.* -b system_u:object_r:removable_device_t /u?dev/sjcd -b system_u:object_r:removable_device_t /u?dev/sonycd -b system_u:object_r:removable_device_t # parallel port ATAPI generic device /u?dev/pg[0-3] -c system_u:object_r:removable_device_t /u?dev/rtc -c system_u:object_r:clock_device_t /u?dev/psaux -c system_u:object_r:mouse_device_t /u?dev/atibm -c system_u:object_r:mouse_device_t /u?dev/logibm -c system_u:object_r:mouse_device_t /u?dev/.*mouse.* -c system_u:object_r:mouse_device_t /u?dev/input/.*mouse.* -c system_u:object_r:mouse_device_t /u?dev/input/event.* -c system_u:object_r:event_device_t /u?dev/input/mice -c system_u:object_r:mouse_device_t /u?dev/input/js.* -c system_u:object_r:mouse_device_t /u?dev/ptmx -c system_u:object_r:ptmx_t /u?dev/sequencer -c system_u:object_r:misc_device_t /u?dev/fb[0-9]* -c system_u:object_r:framebuf_device_t /u?dev/apm_bios -c system_u:object_r:apm_bios_t /u?dev/cpu/mtrr -c system_u:object_r:mtrr_device_t /u?dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t /u?dev/winradio. -c system_u:object_r:v4l_device_t /u?dev/vttuner -c system_u:object_r:v4l_device_t /u?dev/tlk[0-3] -c system_u:object_r:v4l_device_t /u?dev/adsp -c system_u:object_r:sound_device_t /u?dev/mixer.* -c system_u:object_r:sound_device_t /u?dev/dsp.* -c system_u:object_r:sound_device_t /u?dev/audio.* -c system_u:object_r:sound_device_t /u?dev/r?midi.* -c system_u:object_r:sound_device_t /u?dev/sequencer2 -c system_u:object_r:sound_device_t /u?dev/smpte.* -c system_u:object_r:sound_device_t /u?dev/sndstat -c system_u:object_r:sound_device_t /u?dev/beep -c system_u:object_r:sound_device_t /u?dev/patmgr[01] -c system_u:object_r:sound_device_t /u?dev/mpu401.* -c system_u:object_r:sound_device_t /u?dev/srnd[0-7] -c system_u:object_r:sound_device_t /u?dev/aload.* -c system_u:object_r:sound_device_t /u?dev/amidi.* -c system_u:object_r:sound_device_t /u?dev/amixer.* -c system_u:object_r:sound_device_t /u?dev/snd/.* -c system_u:object_r:sound_device_t /u?dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t /u?dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t /u?dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t /u?dev/n?tpqic[12].* -c system_u:object_r:tape_device_t /u?dev/ht[0-1] -b system_u:object_r:tape_device_t /u?dev/n?osst[0-3].* -c system_u:object_r:tape_device_t /u?dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t /u?dev/tape.* -c system_u:object_r:tape_device_t /u?dev/usb/scanner.* -c system_u:object_r:scanner_device_t /u?dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t /u?dev/usb/mdc800.* -c system_u:object_r:scanner_device_t /u?dev/usb/tty.* -c system_u:object_r:usbtty_device_t /u?dev/mmetfgrab -c system_u:object_r:scanner_device_t /u?dev/nvidia.* -c system_u:object_r:xserver_misc_device_t /u?dev/dri/.+ -c system_u:object_r:dri_device_t /u?dev/radeon -c system_u:object_r:dri_device_t /u?dev/agpgart -c system_u:object_r:agp_device_t /proc(/.*)? <> /sys(/.*)? <> /selinux(/.*)? <> /opt(/.*)? system_u:object_r:usr_t /opt/[^/]*/bin(/.*)? system_u:object_r:bin_t /opt/[^/]*/lib(/.*)? system_u:object_r:lib_t /opt/[^/]*/lib/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /opt/[^/]*/lib/.*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /opt/.*/lib/.*\.so -- system_u:object_r:shlib_t /opt/[^/]*/man(/.*)? system_u:object_r:man_t /opt/[^/]*/libexec(/.*)? system_u:object_r:bin_t # # /etc # /etc(/.*)? system_u:object_r:etc_t /var/db/.*\.db -- system_u:object_r:etc_t /etc/\.pwd\.lock -- system_u:object_r:shadow_t /etc/passwd\.lock -- system_u:object_r:shadow_t /etc/group\.lock -- system_u:object_r:shadow_t /etc/shadow.* -- system_u:object_r:shadow_t /etc/gshadow.* -- system_u:object_r:shadow_t /var/db/shadow.* -- system_u:object_r:shadow_t /etc/blkid\.tab -- system_u:object_r:etc_runtime_t /etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t /etc/HOSTNAME -- system_u:object_r:etc_runtime_t /etc/ioctl\.save -- system_u:object_r:etc_runtime_t /etc/mtab -- system_u:object_r:etc_runtime_t /etc/motd -- system_u:object_r:etc_runtime_t /etc/issue -- system_u:object_r:etc_runtime_t /etc/issue\.net -- system_u:object_r:etc_runtime_t /etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t /etc/sysconfig/iptables.save -- system_u:object_r:etc_runtime_t /etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t /etc/asound\.state -- system_u:object_r:etc_runtime_t /etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t /etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t /etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t /etc/yp\.conf.* -- system_u:object_r:net_conf_t /etc/resolv\.conf.* -- system_u:object_r:net_conf_t /etc/selinux(/.*)? system_u:object_r:selinux_config_t /etc/security/selinux(/.*)? system_u:object_r:policy_config_t /etc/security/selinux/src(/.*)? system_u:object_r:policy_src_t /etc/security/default_contexts.* system_u:object_r:default_context_t /etc/services -- system_u:object_r:etc_t /etc/selinux/[^/]*/policy(/.*)? system_u:object_r:policy_config_t /etc/selinux/[^/]*/src(/.*)? system_u:object_r:policy_src_t /etc/selinux/[^/]*/contexts(/.*)? system_u:object_r:default_context_t /etc/selinux/[^/]*/contexts/files(/.*)? system_u:object_r:file_context_t # # /lib(64)? # /lib(64)?(/.*)? system_u:object_r:lib_t /lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /lib(64)?/tls/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /lib(64)?/tls/i.86/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /sbin # /sbin(/.*)? system_u:object_r:sbin_t # # /tmp # /tmp -d system_u:object_r:tmp_t /tmp/.* <> # # /usr # /usr(/.*)? system_u:object_r:usr_t /usr/etc(/.*)? system_u:object_r:etc_t /usr/libexec(/.*)? system_u:object_r:bin_t /usr/src(/.*)? system_u:object_r:src_t /usr/tmp(/.*)? system_u:object_r:tmp_t /usr/man(/.*)? system_u:object_r:man_t /usr/share/man(/.*)? system_u:object_r:man_t /usr/share/mc/extfs/.* -- system_u:object_r:bin_t /usr/share/texmf/teTeX/bin(/.*)? system_u:object_r:bin_t # # /usr/bin # /usr/bin(/.*)? system_u:object_r:bin_t # # /usr/lib(64)? # /usr/lib(64)?(/.*)? system_u:object_r:lib_t /usr/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t /usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t /usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t /usr/lib(64)?/.*/bin(/.*)? system_u:object_r:bin_t /usr/share/guile/g-wrapped/.*\.so -- system_u:object_r:shlib_t # # /usr/.*glibc.*-linux/lib(64)? # /usr/.*glibc.*-linux/lib(64)?(/.*)? system_u:object_r:lib_t /usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/.*redhat-linux/lib(64)? # /usr/.*redhat-linux/lib(64)?(/.*)? system_u:object_r:lib_t /usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/.*linux-libc.*/lib(64)? # /usr/.*linux-libc.*/lib(64)?(/.*)? system_u:object_r:lib_t /usr/.*linux-libc.*/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/.*-.*-linux-gnu # # # /usr/local # /usr/local/etc(/.*)? system_u:object_r:etc_t /usr/local/src(/.*)? system_u:object_r:src_t /usr/local/sbin(/.*)? system_u:object_r:sbin_t /usr/local/man(/.*)? system_u:object_r:man_t # # /usr/local/bin # /usr/local/bin(/.*)? system_u:object_r:bin_t /usr/local/Acrobat.*/bin/ system_u:object_r:bin_t # # /usr/local/lib(64)? # /usr/local/lib(64)?(/.*)? system_u:object_r:lib_t /usr/local/lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/sbin # /usr/sbin(/.*)? system_u:object_r:sbin_t # # /usr/X11R6/(.*/)?bin # /usr/X11R6/(.*/)?bin(/.*)? system_u:object_r:bin_t # # /usr/X11R6/(.*/)?lib(64)? # /usr/X11R6/(.*/)?lib(64)?(/.*)? system_u:object_r:lib_t /usr/X11R6/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /usr/X11R6/man # /usr/X11R6/man(/.*)? system_u:object_r:man_t # # /usr/kerberos # /usr/kerberos/bin(/.*)? system_u:object_r:bin_t /usr/kerberos/sbin(/.*)? system_u:object_r:sbin_t /usr/kerberos/lib(64)?(/.*)? system_u:object_r:lib_t /usr/kerberos/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # Fonts dir # /usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t /usr/share/fonts(/.*)? system_u:object_r:fonts_t /usr/local/share/fonts(/.*)? system_u:object_r:fonts_t # # /var/run # /var/run(/.*)? system_u:object_r:var_run_t /var/run/.*\.*pid <> # # /var/spool # /var/spool(/.*)? system_u:object_r:var_spool_t /var/spool/texmf(/.*)? system_u:object_r:tetex_data_t # # /var/log # /var/log(/.*)? system_u:object_r:var_log_t /var/log/wtmp.* -- system_u:object_r:wtmp_t /var/log/btmp.* -- system_u:object_r:faillog_t /var/log/faillog -- system_u:object_r:faillog_t /var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t /var/log/dmesg -- system_u:object_r:var_log_t /var/log/lastlog -- system_u:object_r:lastlog_t /var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t /var/log/syslog -- system_u:object_r:var_log_t # # Journal files # /\.journal <> /usr/\.journal <> /boot/\.journal <> /home/\.journal <> /var/\.journal <> /tmp/\.journal <> /usr/local/\.journal <> # # Lost and found directories. # /lost\+found(/.*)? system_u:object_r:lost_found_t /usr/lost\+found(/.*)? system_u:object_r:lost_found_t /boot/lost\+found(/.*)? system_u:object_r:lost_found_t /home/lost\+found(/.*)? system_u:object_r:lost_found_t /var/lost\+found(/.*)? system_u:object_r:lost_found_t /tmp/lost\+found(/.*)? system_u:object_r:lost_found_t /usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t # # system localization # /usr/share/zoneinfo(/.*)? system_u:object_r:locale_t /usr/share/locale(/.*)? system_u:object_r:locale_t /usr/lib/locale(/.*)? system_u:object_r:locale_t /etc/localtime -- system_u:object_r:locale_t /etc/localtime -l system_u:object_r:etc_t # # Gnu Cash # /usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t # # initrd mount point, only used during boot # /initrd -d system_u:object_r:root_t # # The Sun Java development kit, RPM install # /usr/java/(.*/)?bin(/.*)? system_u:object_r:bin_t /usr/java/(.*/)?jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t /usr/java/(.*/)?plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/java/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # The krb5.conf file is always being tested for writability, so # we defined a type to dontautit # /etc/krb5\.conf -- system_u:object_r:krb5_conf_t /usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t /etc/sysconfig/networking/profiles/.*/resolv.conf -- system_u:object_r:net_conf_t /etc/sysconfig/network-scripts/.*resolv.conf -- system_u:object_r:net_conf_t /usr/share/rhn/rhn_applet/applet.py -- system_u:object_r:bin_t /usr/share/rhn/rhn_applet/eggtrayiconmodule.so -- system_u:object_r:shlib_t /usr/share/rhn/rhn_applet/needed-packages.py -- system_u:object_r:bin_t /usr/share/authconfig/authconfig-gtk.py -- system_u:object_r:bin_t /usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t /usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t /usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t /usr/share/system-logviewer/system-logviewer.py -- system_u:object_r:bin_t /usr/share/system-config-date/system-config-date.py -- system_u:object_r:bin_t /usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t /usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t /usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t /usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t /usr/share/system-config-netboot/system-config-netboot.py -- system_u:object_r:bin_t /usr/share/system-config-netboot/pxeos.py -- system_u:object_r:bin_t /usr/share/system-config-netboot/pxeboot.py -- system_u:object_r:bin_t /usr/share/system-config-nfs/system-config-nfs.py -- system_u:object_r:bin_t /usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t /usr/share/system-config-samba/system-config-samba.py -- system_u:object_r:bin_t /usr/share/system-config-securitylevel/system-config-securitylevel.py -- system_u:object_r:bin_t /usr/share/system-config-services/serviceconf.py -- system_u:object_r:bin_t /usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t /usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t /usr/share/switchdesk/switchdesk-gui.py -- system_u:object_r:bin_t /usr/share/system-config-network/neat-control.py -- system_u:object_r:bin_t /usr/share/system-config-nfs/nfs-export.py -- system_u:object_r:bin_t /usr/share/pydict/pydict.py -- system_u:object_r:bin_t /usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t # apache /home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t /var/www(/.*)? system_u:object_r:httpd_sys_content_t /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t /usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t /var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t /var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t /var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t /etc/httpd -d system_u:object_r:httpd_config_t /etc/httpd/conf.* system_u:object_r:httpd_config_t /etc/httpd/logs system_u:object_r:httpd_log_t /etc/httpd/modules system_u:object_r:httpd_modules_t /etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t /etc/vhosts -- system_u:object_r:httpd_config_t /usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t /usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t /usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t /usr/sbin/httpd -- system_u:object_r:httpd_exec_t /usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t /usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t /usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t /var/log/httpd(/.*)? system_u:object_r:httpd_log_t /var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t /var/log/cgiwrap.log.* -- system_u:object_r:httpd_log_t /var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t /var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t /var/run/apache(2)?.pid.* -- system_u:object_r:httpd_var_run_t /var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t /etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t /usr/lib/apache-ssl(/.*)? -- system_u:object_r:httpd_exec_t /usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t /var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t /var/run/apache-ssl(2)?.pid.* -- system_u:object_r:httpd_var_run_t /var/run/gcache_port -s system_u:object_r:httpd_var_run_t # dhcpd /etc/dhcpd.conf -- system_u:object_r:dhcp_etc_t /etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t /usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t /var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t /var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t # hotplug /etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t /sbin/hotplug -- system_u:object_r:hotplug_exec_t /etc/hotplug.d/default/default.* system_u:object_r:sbin_t /etc/hotplug/.*agent -- system_u:object_r:sbin_t /etc/hotplug/.*rc -- system_u:object_r:sbin_t /etc/hotplug/hotplug.functions -- system_u:object_r:sbin_t /var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t # init rc scripts /etc/X11/prefdm -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t /etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t /etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t /etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t /etc/init\.d/.* -- system_u:object_r:initrc_exec_t /etc/init\.d/functions -- system_u:object_r:etc_t /var/run/utmp -- system_u:object_r:initrc_var_run_t /var/run/runlevel\.dir system_u:object_r:initrc_var_run_t /var/run/random-seed -- system_u:object_r:initrc_var_run_t /var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t # run_init /usr/sbin/run_init -- system_u:object_r:run_init_exec_t /etc/nologin.* -- system_u:object_r:etc_runtime_t /etc/nohotplug -- system_u:object_r:etc_runtime_t /halt -- system_u:object_r:etc_runtime_t /\.autofsck -- system_u:object_r:etc_runtime_t # init /dev/initctl -p system_u:object_r:initctl_t /sbin/init -- system_u:object_r:init_exec_t # mailman list server /var/lib/mailman(/.*)? system_u:object_r:mailman_data_t /var/log/mailman(/.*)? system_u:object_r:mailman_log_t /usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t /usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t /var/run/mailman(/.*)? system_u:object_r:mailman_lock_t /var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t /usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t /var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t /usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t /usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t /etc/mailman(/.*)? system_u:object_r:mailman_data_t /var/spool/mailman(/.*)? system_u:object_r:mailman_data_t # module utilities /etc/modules\.conf.* -- system_u:object_r:modules_conf_t /etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t /lib(64)?/modules/modprobe.conf -- system_u:object_r:modules_conf_t /lib(64)?/modules(/.*)? system_u:object_r:modules_object_t /lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t /lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t /sbin/depmod.* -- system_u:object_r:depmod_exec_t /sbin/modprobe.* -- system_u:object_r:insmod_exec_t /sbin/insmod.* -- system_u:object_r:insmod_exec_t /sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t /sbin/rmmod.* -- system_u:object_r:insmod_exec_t /sbin/update-modules -- system_u:object_r:update_modules_exec_t /sbin/generate-modprobe.conf -- system_u:object_r:update_modules_exec_t # mysql database server /usr/sbin/mysqld -- system_u:object_r:mysqld_exec_t /usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t /var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t /var/log/mysql.* -- system_u:object_r:mysqld_log_t /var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t /var/lib/mysql/mysql.sock -s system_u:object_r:mysqld_var_run_t /etc/my\.cnf -- system_u:object_r:mysqld_etc_t /etc/mysql(/.*)? system_u:object_r:mysqld_etc_t # named /var/named(/.*)? system_u:object_r:named_zone_t /var/named/slaves(/.*)? system_u:object_r:named_cache_t /var/named/data(/.*)? system_u:object_r:named_cache_t /etc/named\.conf -- system_u:object_r:named_conf_t /etc/rndc.* -- system_u:object_r:named_conf_t /usr/sbin/named -- system_u:object_r:named_exec_t /usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t /var/run/ndc -s system_u:object_r:named_var_run_t /var/run/bind(/.*)? system_u:object_r:named_var_run_t /var/run/named(/.*)? system_u:object_r:named_var_run_t /usr/sbin/lwresd -- system_u:object_r:named_exec_t /var/named/named\.ca -- system_u:object_r:named_conf_t /var/named/chroot(/.*)? system_u:object_r:named_conf_t /var/named/chroot/dev/null -c system_u:object_r:null_device_t /var/named/chroot/dev/random -c system_u:object_r:random_device_t /var/named/chroot/dev/zero -c system_u:object_r:zero_device_t /var/named/chroot/etc/named\.conf -- system_u:object_r:named_conf_t /var/named/chroot/etc/rndc.* -- system_u:object_r:named_conf_t /var/named/chroot/var/run/named(/.*)? system_u:object_r:named_var_run_t /var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t /var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t /var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t /var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t /var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t # nscd /usr/sbin/nscd -- system_u:object_r:nscd_exec_t /var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t /var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t /var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t /var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t /var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t /etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t /etc/ntp(d)?\.conf -- system_u:object_r:net_conf_t /etc/ntp/step-tickers -- system_u:object_r:net_conf_t /usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t /usr/sbin/ntpdate -- system_u:object_r:ntpd_exec_t /var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t /var/log/ntpd.* -- system_u:object_r:ntpd_log_t /var/log/xntpd.* -- system_u:object_r:ntpd_log_t /var/run/ntpd.pid -- system_u:object_r:ntpd_var_run_t /etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t /etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t # portmap /sbin/portmap -- system_u:object_r:portmap_exec_t /sbin/pmap_dump -- system_u:object_r:portmap_exec_t # rpm /var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t /var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t /bin/rpm -- system_u:object_r:rpm_exec_t /usr/bin/yum -- system_u:object_r:rpm_exec_t /usr/bin/apt-get -- system_u:object_r:rpm_exec_t /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t /usr/bin/synaptic -- system_u:object_r:rpm_exec_t /usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t /usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t /usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t /usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t /var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t /var/log/yum.log -- system_u:object_r:rpm_log_t /usr/sbin/up2date -- system_u:object_r:rpm_exec_t /usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t # SuSE # snmpd /usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t /var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t /etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t /usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t /var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t /var/run/snmpd -d system_u:object_r:snmpd_var_run_t /var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t /var/log/snmpd.log -- system_u:object_r:snmpd_log_t # squid /usr/sbin/squid -- system_u:object_r:squid_exec_t /var/cache/squid(/.*)? system_u:object_r:squid_cache_t /var/spool/squid(/.*)? system_u:object_r:squid_cache_t /var/log/squid(/.*)? system_u:object_r:squid_log_t /etc/squid(/.*)? system_u:object_r:squid_conf_t /var/run/squid\.pid -- system_u:object_r:squid_var_run_t /usr/share/squid(/.*)? system_u:object_r:squid_conf_t # syslogd /sbin/syslogd -- system_u:object_r:syslogd_exec_t /sbin/minilogd -- system_u:object_r:syslogd_exec_t /usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t /sbin/syslog-ng -- system_u:object_r:syslogd_exec_t /dev/log -s system_u:object_r:devlog_t /var/run/log -s system_u:object_r:devlog_t /var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t # udev /sbin/udevsend -- system_u:object_r:udev_exec_t /sbin/udev -- system_u:object_r:udev_exec_t /sbin/udevd -- system_u:object_r:udev_exec_t /sbin/start_udev -- system_u:object_r:udev_exec_t /usr/bin/udevinfo -- system_u:object_r:udev_exec_t /etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t /etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t /etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t /dev/udev\.tbl -- system_u:object_r:udev_tbl_t /dev/\.udev\.tdb -- system_u:object_r:udev_tbl_t # ypbind /sbin/ypbind -- system_u:object_r:ypbind_exec_t # # User-specific file contexts # /root -d root:object_r:user_home_dir_t /root/.+ root:object_r:user_home_t /root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_user_content_t /root/.default_contexts -- system_u:object_r:default_context_t