Initial commit.

selinux/config

@@ -0,0 +1,11 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=disabled
+# SELINUXTYPE= can take one of these three values:
+#     targeted - Targeted processes are protected,
+#     minimum - Modification of targeted policy. Only selected processes are protected. 
+#     mls - Multi Level Security protection.
+SELINUXTYPE=minimum

selinux/semanage.conf

@@ -0,0 +1,57 @@
+# Authors: Jason Tang <jtang@tresys.com>
+#
+# Copyright (C) 2004-2005 Tresys Technology, LLC
+#
+#  This library is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 2.1 of the License, or (at your option) any later version.
+#
+#  This library is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public
+#  License along with this library; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+# Specify how libsemanage will interact with a SELinux policy manager.
+# The four options are:
+#
+#  "source"     - libsemanage manipulates a source SELinux policy
+#  "direct"     - libsemanage will write directly to a module store.
+#  /foo/bar     - Write by way of a policy management server, whose
+#                 named socket is at /foo/bar.  The path must begin
+#                 with a '/'.
+#  foo.com:4242 - Establish a TCP connection to a remote policy
+#                 management server at foo.com.  If there is a colon
+#                 then the remainder is interpreted as a port number;
+#                 otherwise default to port 4242.
+module-store = direct
+
+# When generating the final linked and expanded policy, by default
+# semanage will set the policy version to POLICYDB_VERSION_MAX, as
+# given in <sepol/policydb.h>.  Change this setting if a different
+# version is necessary.
+#policy-version = 19
+
+# expand-check check neverallow rules when executing all semanage
+# commands. There might be a penalty in execution time if this
+# option is enabled.
+expand-check=0
+
+# usepasswd check tells semanage to scan all pass word records for home directories
+# and setup the labeling correctly.  If this is turned off, SELinux will label /home 
+# correctly only.  You will need to use semanage fcontext command.  
+# For example, if you had home dirs in /althome directory you would have to execute
+# semanage fcontext -a -e /home /althome
+usepasswd=False
+bzip-small=true
+bzip-blocksize=5
+ignoredirs=/root
+
+[sefcontext_compile]
+path = /usr/sbin/sefcontext_compile
+args = -r $@
+[end]

selinux/targeted/.policy.sha512

@@ -0,0 +1 @@
+a22e33fcbb09d3c1722d49f584d554e7c9a887c3b1da8dc15f90e9d72884fd73191d410f6d4dbf9f0c7c99e8362393b218002ba9644eecb0d1e509bbc9132d04

selinux/targeted/booleans.subs_dist

@@ -0,0 +1,54 @@
+allow_auditadm_exec_content auditadm_exec_content
+allow_console_login login_console_enabled
+allow_cvs_read_shadow cvs_read_shadow
+allow_daemons_dump_core daemons_dump_core
+allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
+allow_daemons_use_tty daemons_use_tty
+allow_domain_fd_use domain_fd_use
+allow_execheap selinuxuser_execheap
+allow_execmod selinuxuser_execmod
+allow_execstack selinuxuser_execstack
+allow_ftpd_anon_write ftpd_anon_write
+allow_ftpd_full_access ftpd_full_access
+allow_ftpd_use_cifs ftpd_use_cifs
+allow_ftpd_use_nfs ftpd_use_nfs
+allow_gssd_read_tmp gssd_read_tmp
+allow_guest_exec_content guest_exec_content
+allow_httpd_anon_write httpd_anon_write
+allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
+allow_httpd_mod_auth_pam httpd_mod_auth_pam
+allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
+allow_kerberos kerberos_enabled
+allow_mplayer_execstack mplayer_execstack
+allow_mount_anyfile mount_anyfile
+allow_nfsd_anon_write nfsd_anon_write
+allow_polyinstantiation polyinstantiation_enabled
+allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
+allow_rsync_anon_write rsync_anon_write
+allow_saslauthd_read_shadow saslauthd_read_shadow
+allow_secadm_exec_content secadm_exec_content
+allow_smbd_anon_write smbd_anon_write
+allow_ssh_keysign ssh_keysign
+allow_staff_exec_content staff_exec_content
+allow_sysadm_exec_content sysadm_exec_content
+allow_user_exec_content user_exec_content
+allow_user_mysql_connect selinuxuser_mysql_connect_enabled
+allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
+allow_write_xshm xserver_clients_write_xshm
+allow_xguest_exec_content xguest_exec_content
+allow_xserver_execmem xserver_execmem
+allow_ypbind nis_enabled
+allow_zebra_write_config zebra_write_config
+user_direct_dri selinuxuser_direct_dri_enabled
+user_ping selinuxuser_ping
+user_share_music selinuxuser_share_music
+user_tcp_server selinuxuser_tcp_server
+sepgsql_enable_pitr_implementation postgresql_can_rsync
+sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
+sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
+sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
+clamd_use_jit antivirus_use_jit
+amavis_use_jit antivirus_use_jit
+logwatch_can_sendmail logwatch_can_network_connect_mail
+puppet_manage_all_files puppetagent_manage_all_files
+virt_sandbox_use_nfs virt_use_nfs

selinux/targeted/contexts/customizable_types

@@ -0,0 +1,14 @@
+container_file_t
+sandbox_file_t
+svirt_image_t
+svirt_home_t
+svirt_sandbox_file_t
+virt_content_t
+httpd_user_htaccess_t
+httpd_user_script_exec_t
+httpd_user_rw_content_t
+httpd_user_ra_content_t
+httpd_user_content_t
+git_session_content_t
+home_bin_t
+user_tty_device_t

selinux/targeted/contexts/dbus_contexts

@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>

selinux/targeted/contexts/default_contexts

@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0

selinux/targeted/contexts/default_type

@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t

selinux/targeted/contexts/failsafe_context

@@ -0,0 +1 @@
+unconfined_r:unconfined_t:s0

selinux/targeted/contexts/files/file_contexts.homedirs

@@ -0,0 +1,206 @@
+#
+#
+# User-specific file contexts, generated via libsemanage
+# use semanage command to manage system users to change the file_context
+#
+#
+
+
+#
+# Home Context for user user_u
+#
+
+/home/[^/]+/.+	unconfined_u:object_r:user_home_t:s0
+/home/[^/]+/.maildir(/.*)?	unconfined_u:object_r:mail_home_rw_t:s0
+/home/[^/]+/.*/plugins/nppdf\.so.*	--	unconfined_u:object_r:textrel_shlib_t:s0
+/home/[^/]+/((www)|(web)|(public_html))(/.+)?	unconfined_u:object_r:httpd_user_content_t:s0
+/home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?	unconfined_u:object_r:httpd_user_script_exec_t:s0
+/home/[^/]+/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	unconfined_u:object_r:httpd_user_htaccess_t:s0
+/home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	unconfined_u:object_r:httpd_user_ra_content_t:s0
+/home/[^/]+/a?quota\.(user|group)	--	unconfined_u:object_r:quota_db_t:s0
+/home/[^/]+/\.nv(/.*)?	unconfined_u:object_r:cache_home_t:s0
+/home/[^/]+/bin(/.*)?	unconfined_u:object_r:home_bin_t:s0
+/home/[^/]+/\.kde(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.lyx(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.mpd(/.*)?	unconfined_u:object_r:mpd_home_t:s0
+/home/[^/]+/\.orc(/.*)?	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.pki(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+/\.ssh(/.*)?	unconfined_u:object_r:ssh_home_t:s0
+/home/[^/]+/\.uml(/.*)?	unconfined_u:object_r:uml_rw_t:s0
+/home/[^/]+/\.DCOP.*	--	unconfined_u:object_r:iceauth_home_t:s0
+/home/[^/]+/\.dmrc.*	--	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/Audio(/.*)?	unconfined_u:object_r:audio_home_t:s0
+/home/[^/]+/Music(/.*)?	unconfined_u:object_r:audio_home_t:s0
+/home/[^/]+/\.cert(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+/\.dbus(/.*)?	unconfined_u:object_r:dbus_home_t:s0
+/home/[^/]+/\.java(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.wine(/.*)?	unconfined_u:object_r:wine_home_t:s0
+/home/[^/]+/\.xine(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.Xauth.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.xauth.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.gvfs/.*	<<none>>
+/home/[^/]+/\.local.*	unconfined_u:object_r:gconf_home_t:s0
+/home/[^/]+/\.adobe(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.cache(/.*)?	unconfined_u:object_r:cache_home_t:s0
+/home/[^/]+/\.debug(/.*)?	<<none>>
+/home/[^/]+/\.fonts(/.*)?	unconfined_u:object_r:user_fonts_t:s0
+/home/[^/]+/\.gnash(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.gnupg(/.+)?	unconfined_u:object_r:gpg_secret_t:s0
+/home/[^/]+/\.irssi(/.*)?	unconfined_u:object_r:irc_home_t:s0
+/home/[^/]+/\.pulse(/.*)?	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.pyzor(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.razor(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.spamd(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.webex(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/irclog(/.*)?	unconfined_u:object_r:irc_home_t:s0
+/home/[^/]+/vmware(/.*)?	unconfined_u:object_r:vmware_file_t:s0
+/home/[^/]+/\.gconf(d)?(/.*)?	unconfined_u:object_r:gconf_home_t:s0
+/home/[^/]+/Maildir(/.*)?	unconfined_u:object_r:mail_home_rw_t:s0
+/home/[^/]+/\.IBMERS(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.config(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.galeon(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.gnome2(/.*)?	unconfined_u:object_r:gnome_home_t:s0
+/home/[^/]+/\.kismet(/.*)?	unconfined_u:object_r:kismet_home_t:s0
+/home/[^/]+/\.screen(/.*)?	unconfined_u:object_r:screen_home_t:s0
+/home/[^/]+/\.spicec(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.tvtime(/.*)?	unconfined_u:object_r:tvtime_home_t:s0
+/home/[^/]+/\.vmware(/.*)?	unconfined_u:object_r:vmware_file_t:s0
+/home/[^/]+/\.yubico(/.*)?	unconfined_u:object_r:auth_home_t:s0
+/home/[^/]+/POkemon.*(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.vmware[^/]*/.*\.cfg	--	unconfined_u:object_r:vmware_conf_t:s0
+/home/[^/]+/\.forward[^/]*	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/\.Private(/.*)?	unconfined_u:object_r:ecryptfs_t:s0
+/home/[^/]+/\.fonts\.d(/.*)?	unconfined_u:object_r:user_fonts_config_t:s0
+/home/[^/]+/\.icedtea(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.libvirt(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.mozilla(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.mplayer(/.*)?	unconfined_u:object_r:mplayer_home_t:s0
+/home/[^/]+/\.phoenix(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.ecryptfs(/.*)?	unconfined_u:object_r:ecryptfs_t:s0
+/home/[^/]+/\.netscape(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.virtinst(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.ICAClient(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.cache/gdm(/.*)?	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/\.color/icc(/.*)?	unconfined_u:object_r:icc_data_home_t:s0
+/home/[^/]+/\.local/bin(/.*)?	unconfined_u:object_r:home_bin_t:s0
+/home/[^/]+/\.quakelive(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.wireshark(/.*)?	unconfined_u:object_r:wireshark_home_t:s0
+/home/[^/]+/public_git(/.*)?	unconfined_u:object_r:git_user_content_t:s0
+/home/[^/]+/\.Xauthority.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.serverauth.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.gstreamer-.*	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.fontconfig(/.*)?	unconfined_u:object_r:user_fonts_cache_t:s0
+/home/[^/]+/\.fonts/auto(/.*)?	unconfined_u:object_r:user_fonts_cache_t:s0
+/home/[^/]+/\.macromedia(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.nv/GLCache(/.*)?	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.thumbnails(/.*)?	unconfined_u:object_r:thumb_home_t:s0
+/home/[^/]+/\.ansible/cp/.*	-s	unconfined_u:object_r:ssh_home_t:s0
+/home/[^/]+/missfont\.log.*	unconfined_u:object_r:thumb_home_t:s0
+/home/[^/]+/\.cache/dconf(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.cache/wocky(/.*)?	unconfined_u:object_r:telepathy_gabble_cache_home_t:s0
+/home/[^/]+/\.esmtp_queue(/.*)?	unconfined_u:object_r:mail_home_rw_t:s0
+/home/[^/]+/\.local/share(/.*)?	unconfined_u:object_r:data_home_t:s0
+/home/[^/]+/\.texlive2012(/.*)?	unconfined_u:object_r:texlive_home_t:s0
+/home/[^/]+/\.texlive2013(/.*)?	unconfined_u:object_r:texlive_home_t:s0
+/home/[^/]+/\.texlive2014(/.*)?	unconfined_u:object_r:texlive_home_t:s0
+/home/[^/]+/\.thunderbird(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.ICEauthority.*	--	unconfined_u:object_r:iceauth_home_t:s0
+/home/[^/]+/\.fonts\.cache-.*	--	unconfined_u:object_r:user_fonts_cache_t:s0
+/home/[^/]+/\.config/pulse(/.*)?	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.gcjwebplugin(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.grl-podcasts(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.libvirt/qemu(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.polipo-cache(/.*)?	unconfined_u:object_r:polipo_cache_home_t:s0
+/home/[^/]+/\.spamassassin(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.cache/GLCache(/.*)?	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.cache/libvirt(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.cache/mozilla(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.icedteaplugin(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/zimbrauserdata(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.wayland-errors.*	--	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/VirtualMachines(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.cache/chromium(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.config/libvirt(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.xsession-errors.*	--	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/\.cache/telepathy(/.*)?	unconfined_u:object_r:telepathy_cache_home_t:s0
+/home/[^/]+/\.config/chromium(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.gnome2/keyrings(/.*)?	unconfined_u:object_r:gkeyringd_gnome_home_t:s0
+/home/[^/]+/\.local/share/icc(/.*)?	unconfined_u:object_r:icc_data_home_t:s0
+/home/[^/]+/\.mission-control(/.*)?	unconfined_u:object_r:telepathy_mission_control_home_t:s0
+/home/[^/]+/cxoffice/bin/wine.+	--	unconfined_u:object_r:wine_exec_t:s0
+/home/[^/]+/\.cache/gstreamer-.*	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.cache/thumbnails(/.*)?	unconfined_u:object_r:thumb_home_t:s0
+/home/[^/]+/\.juniper_networks(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.local/share/xorg(/.*)?	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/\.cache/gnome-boxes(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.cache/icedtea-web(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.local/share/fonts(/.*)?	unconfined_u:object_r:user_fonts_t:s0
+/home/[^/]+/\.cache/libvirt/qemu(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.telepathy-sunshine(/.*)?	unconfined_u:object_r:telepathy_sunshine_home_t:s0
+/home/[^/]+/VirtualMachines/isos(/.*)?	unconfined_u:object_r:virt_content_t:s0
+/home/[^/]+/\.cache/google-chrome(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.config/libvirt/qemu(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.config/systemd/user(/.*)?	unconfined_u:object_r:systemd_unit_file_t:s0
+/home/[^/]+/\.local/share/systemd(/.*)?	unconfined_u:object_r:systemd_home_t:s0
+/home/[^/]+/\.local/share/TpLogger(/.*)?	unconfined_u:object_r:telepathy_logger_data_home_t:s0
+/home/[^/]+/\.local/share/keyrings(/.*)?	unconfined_u:object_r:gkeyringd_gnome_home_t:s0
+/home/[^/]+/\.cache/libvirt-sandbox(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.local/share/telepathy(/.*)?	unconfined_u:object_r:telepathy_data_home_t:s0
+/home/[^/]+/\.cache/telepathy/gabble(/.*)?	unconfined_u:object_r:telepathy_gabble_cache_home_t:s0
+/home/[^/]+/\.cache/telepathy/logger(/.*)?	unconfined_u:object_r:telepathy_logger_cache_home_t:s0
+/home/[^/]+/\.local/share/libvirt/boot(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.local/share/libvirt/images(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.cache/google-chrome-unstable(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.cache/telepathy/avatars/gabble(/.*)?	unconfined_u:object_r:telepathy_gabble_cache_home_t:s0
+/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.local/share/telepathy/mission-control(/.*)?	unconfined_u:object_r:telepathy_mission_control_data_home_t:s0
+/home/[^/]+/\.local/share/networkmanagement/certificates(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+/\.kde/share/apps/networkmanagement/certificates(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+	-d	unconfined_u:object_r:user_home_dir_t:s0
+/home/[^/]+	-l	unconfined_u:object_r:user_home_dir_t:s0
+/home/[^/]+/abc	--	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/tmp	-d	unconfined_u:object_r:user_tmp_t:s0
+/home/[^/]+/\.tmp	-d	unconfined_u:object_r:user_tmp_t:s0
+/home/[^/]+/\.mailrc	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/\.my\.cnf	--	unconfined_u:object_r:mysqld_home_t:s0
+/home/[^/]+/\.polipo	--	unconfined_u:object_r:polipo_config_home_t:s0
+/home/[^/]+/\.rhosts	--	unconfined_u:object_r:rlogind_home_t:s0
+/home/[^/]+/\.rlogin	--	unconfined_u:object_r:rlogind_home_t:s0
+/home/[^/]+/\.shosts	unconfined_u:object_r:ssh_home_t:s0
+/home/[^/]+/\.esmtprc	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/\.ircmotd	--	unconfined_u:object_r:irc_home_t:s0
+/home/[^/]+/\.k5login	--	unconfined_u:object_r:krb5_home_t:s0
+/home/[^/]+/\.k5users	--	unconfined_u:object_r:krb5_home_t:s0
+/home/[^/]+/\.manpath	--	unconfined_u:object_r:mandb_home_t:s0
+/home/[^/]+/\.asoundrc	--	unconfined_u:object_r:alsa_home_t:s0
+/home/[^/]+/\.esd_auth	--	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.screenrc	--	unconfined_u:object_r:screen_home_t:s0
+/home/[^/]+/\.cvsignore	--	unconfined_u:object_r:cvs_home_t:s0
+/home/[^/]+/\.hushlogin	--	unconfined_u:object_r:local_login_home_t:s0
+/home/[^/]+/\.tmux\.conf	--	unconfined_u:object_r:screen_home_t:s0
+/home/[^/]+/\.Xdefaults	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.fonts\.conf	--	unconfined_u:object_r:user_fonts_config_t:s0
+/home/[^/]+/\.procmailrc	--	unconfined_u:object_r:procmail_home_t:s0
+/home/[^/]+/dead\.letter	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/mozilla\.pdf	--	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.fetchmailrc	--	unconfined_u:object_r:fetchmail_home_t:s0
+/home/[^/]+/\.pulse-cookie	--	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.gnashpluginrc	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.grl-bookmarks	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.gnupg/log-socket	unconfined_u:object_r:gpg_agent_tmp_t:s0
+/home/[^/]+/\.grl-metadata-store	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.google_authenticator	unconfined_u:object_r:auth_home_t:s0
+/home/[^/]+/\.cache/\.mc_connections	--	unconfined_u:object_r:telepathy_mission_control_cache_home_t:s0
+/home/[^/]+/\.google_authenticator~	unconfined_u:object_r:auth_home_t:s0
+/home/(.*/)?\.snapshots(/.*)?	system_u:object_r:snapperd_data_t:s0
+/home/a?quota\.(user|group)	--	system_u:object_r:quota_db_t:s0
+/home/lost\+found/.*	<<none>>
+/home	-d	system_u:object_r:home_root_t:s0
+/home	-l	system_u:object_r:home_root_t:s0
+/home/\-inst	-d	system_u:object_r:home_root_t:s0
+/home/\.journal	<<none>>
+/home/home-inst	-d	system_u:object_r:home_root_t:s0
+/home/lost\+found	-d	system_u:object_r:lost_found_t:s0
+/tmp/gconfd-[^/]+/.*	--	unconfined_u:object_r:gconf_tmp_t:s0
+/tmp/gconfd-[^/]+	-d	unconfined_u:object_r:user_tmp_t:s0
+/var/spool/cron/[^/]+	--	unconfined_u:object_r:user_cron_spool_t:s0

selinux/targeted/contexts/files/file_contexts.subs_dist

@@ -0,0 +1,19 @@
+/run /var/run
+/run/lock /var/lock
+/run/systemd/system /usr/lib/systemd/system
+/run/systemd/generator /usr/lib/systemd/system
+/run/systemd/generator.late /usr/lib/systemd/system
+/lib /usr/lib
+/lib64 /usr/lib
+/usr/lib64 /usr/lib
+/usr/local/lib64 /usr/lib
+/usr/local/lib32 /usr/lib
+/etc/systemd/system /usr/lib/systemd/system
+/var/lib/xguest/home /home
+/var/named/chroot/usr/lib64 /usr/lib
+/var/named/chroot/lib64 /usr/lib
+/home-inst            /home
+/home/home-inst            /home
+/var/roothome        /root
+/sbin                /usr/sbin
+/sysroot/tmp         /tmp

selinux/targeted/contexts/files/media

@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0

selinux/targeted/contexts/initrc_context

@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0

selinux/targeted/contexts/lxc_contexts

@@ -0,0 +1,7 @@
+process = "system_u:system_r:container_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:container_file_t:s0"
+ro_file="system_u:object_r:container_ro_file_t:s0"
+sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
+sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
+sandbox_lxc_process = "system_u:system_r:container_t:s0"

selinux/targeted/contexts/openssh_contexts

@@ -0,0 +1 @@
+privsep_preauth=sshd_net_t

selinux/targeted/contexts/removable_context

@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0

selinux/targeted/contexts/securetty_types

@@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t

selinux/targeted/contexts/sepgsql_contexts

@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MCS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0

selinux/targeted/contexts/snapperd_contexts

@@ -0,0 +1 @@
+snapperd_data = system_u:object_r:snapperd_data_t:s0

selinux/targeted/contexts/systemd_contexts

@@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0

selinux/targeted/contexts/userhelper_context

@@ -0,0 +1 @@
+system_u:system_r:unconfined_t:s0

selinux/targeted/contexts/users/guest_u

@@ -0,0 +1,8 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
+system_r:cockpit_session_t:s0		guest_r:guest_t:s0
+system_r:init_t:s0		guest_r:guest_t:s0

selinux/targeted/contexts/users/root

@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

selinux/targeted/contexts/users/staff_u

@@ -0,0 +1,12 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:cockpit_session_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0 staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+system_r:init_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+

selinux/targeted/contexts/users/sysadm_u

@@ -0,0 +1,14 @@
+system_r:local_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:sshd_t:s0		sysadm_r:sysadm_t:s0
+system_r:cockpit_session_t:s0		sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		sysadm_r:sysadm_t:s0
+system_r:init_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0		sysadm_r:sysadm_t:s0
+system_r:initrc_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+

selinux/targeted/contexts/users/unconfined_u

@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:cockpit_session_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0

selinux/targeted/contexts/users/user_u

@@ -0,0 +1,10 @@
+system_r:init_t:s0	user_r:user_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:cockpit_session_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+

selinux/targeted/contexts/users/xguest_u

@@ -0,0 +1,9 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:cockpit_session_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+system_r:init_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0

selinux/targeted/contexts/virtual_domain_context

@@ -0,0 +1,2 @@
+system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0

selinux/targeted/contexts/virtual_image_context

@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0

selinux/targeted/contexts/x_contexts

@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0

selinux/targeted/setrans.conf

@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh

selinux/targeted/seusers

@@ -0,0 +1,2 @@
+root:unconfined_u:s0-s0:c0.c1023
+__default__:unconfined_u:s0-s0:c0.c1023