Initial commit.

selinux/targeted/contexts/customizable_types

@@ -0,0 +1,14 @@
+container_file_t
+sandbox_file_t
+svirt_image_t
+svirt_home_t
+svirt_sandbox_file_t
+virt_content_t
+httpd_user_htaccess_t
+httpd_user_script_exec_t
+httpd_user_rw_content_t
+httpd_user_ra_content_t
+httpd_user_content_t
+git_session_content_t
+home_bin_t
+user_tty_device_t

selinux/targeted/contexts/dbus_contexts

@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>

selinux/targeted/contexts/default_contexts

@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0

selinux/targeted/contexts/default_type

@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t

selinux/targeted/contexts/failsafe_context

@@ -0,0 +1 @@
+unconfined_r:unconfined_t:s0

selinux/targeted/contexts/files/file_contexts.homedirs

@@ -0,0 +1,206 @@
+#
+#
+# User-specific file contexts, generated via libsemanage
+# use semanage command to manage system users to change the file_context
+#
+#
+
+
+#
+# Home Context for user user_u
+#
+
+/home/[^/]+/.+	unconfined_u:object_r:user_home_t:s0
+/home/[^/]+/.maildir(/.*)?	unconfined_u:object_r:mail_home_rw_t:s0
+/home/[^/]+/.*/plugins/nppdf\.so.*	--	unconfined_u:object_r:textrel_shlib_t:s0
+/home/[^/]+/((www)|(web)|(public_html))(/.+)?	unconfined_u:object_r:httpd_user_content_t:s0
+/home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)?	unconfined_u:object_r:httpd_user_script_exec_t:s0
+/home/[^/]+/((www)|(web)|(public_html))(/.*)?/\.htaccess	--	unconfined_u:object_r:httpd_user_htaccess_t:s0
+/home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	unconfined_u:object_r:httpd_user_ra_content_t:s0
+/home/[^/]+/a?quota\.(user|group)	--	unconfined_u:object_r:quota_db_t:s0
+/home/[^/]+/\.nv(/.*)?	unconfined_u:object_r:cache_home_t:s0
+/home/[^/]+/bin(/.*)?	unconfined_u:object_r:home_bin_t:s0
+/home/[^/]+/\.kde(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.lyx(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.mpd(/.*)?	unconfined_u:object_r:mpd_home_t:s0
+/home/[^/]+/\.orc(/.*)?	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.pki(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+/\.ssh(/.*)?	unconfined_u:object_r:ssh_home_t:s0
+/home/[^/]+/\.uml(/.*)?	unconfined_u:object_r:uml_rw_t:s0
+/home/[^/]+/\.DCOP.*	--	unconfined_u:object_r:iceauth_home_t:s0
+/home/[^/]+/\.dmrc.*	--	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/Audio(/.*)?	unconfined_u:object_r:audio_home_t:s0
+/home/[^/]+/Music(/.*)?	unconfined_u:object_r:audio_home_t:s0
+/home/[^/]+/\.cert(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+/\.dbus(/.*)?	unconfined_u:object_r:dbus_home_t:s0
+/home/[^/]+/\.java(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.wine(/.*)?	unconfined_u:object_r:wine_home_t:s0
+/home/[^/]+/\.xine(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.Xauth.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.xauth.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.gvfs/.*	<<none>>
+/home/[^/]+/\.local.*	unconfined_u:object_r:gconf_home_t:s0
+/home/[^/]+/\.adobe(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.cache(/.*)?	unconfined_u:object_r:cache_home_t:s0
+/home/[^/]+/\.debug(/.*)?	<<none>>
+/home/[^/]+/\.fonts(/.*)?	unconfined_u:object_r:user_fonts_t:s0
+/home/[^/]+/\.gnash(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.gnupg(/.+)?	unconfined_u:object_r:gpg_secret_t:s0
+/home/[^/]+/\.irssi(/.*)?	unconfined_u:object_r:irc_home_t:s0
+/home/[^/]+/\.pulse(/.*)?	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.pyzor(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.razor(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.spamd(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.webex(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/irclog(/.*)?	unconfined_u:object_r:irc_home_t:s0
+/home/[^/]+/vmware(/.*)?	unconfined_u:object_r:vmware_file_t:s0
+/home/[^/]+/\.gconf(d)?(/.*)?	unconfined_u:object_r:gconf_home_t:s0
+/home/[^/]+/Maildir(/.*)?	unconfined_u:object_r:mail_home_rw_t:s0
+/home/[^/]+/\.IBMERS(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.config(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.galeon(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.gnome2(/.*)?	unconfined_u:object_r:gnome_home_t:s0
+/home/[^/]+/\.kismet(/.*)?	unconfined_u:object_r:kismet_home_t:s0
+/home/[^/]+/\.screen(/.*)?	unconfined_u:object_r:screen_home_t:s0
+/home/[^/]+/\.spicec(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.tvtime(/.*)?	unconfined_u:object_r:tvtime_home_t:s0
+/home/[^/]+/\.vmware(/.*)?	unconfined_u:object_r:vmware_file_t:s0
+/home/[^/]+/\.yubico(/.*)?	unconfined_u:object_r:auth_home_t:s0
+/home/[^/]+/POkemon.*(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.vmware[^/]*/.*\.cfg	--	unconfined_u:object_r:vmware_conf_t:s0
+/home/[^/]+/\.forward[^/]*	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/\.Private(/.*)?	unconfined_u:object_r:ecryptfs_t:s0
+/home/[^/]+/\.fonts\.d(/.*)?	unconfined_u:object_r:user_fonts_config_t:s0
+/home/[^/]+/\.icedtea(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.libvirt(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.mozilla(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.mplayer(/.*)?	unconfined_u:object_r:mplayer_home_t:s0
+/home/[^/]+/\.phoenix(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.ecryptfs(/.*)?	unconfined_u:object_r:ecryptfs_t:s0
+/home/[^/]+/\.netscape(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.virtinst(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.ICAClient(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.cache/gdm(/.*)?	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/\.color/icc(/.*)?	unconfined_u:object_r:icc_data_home_t:s0
+/home/[^/]+/\.local/bin(/.*)?	unconfined_u:object_r:home_bin_t:s0
+/home/[^/]+/\.quakelive(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.wireshark(/.*)?	unconfined_u:object_r:wireshark_home_t:s0
+/home/[^/]+/public_git(/.*)?	unconfined_u:object_r:git_user_content_t:s0
+/home/[^/]+/\.Xauthority.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.serverauth.*	--	unconfined_u:object_r:xauth_home_t:s0
+/home/[^/]+/\.gstreamer-.*	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.fontconfig(/.*)?	unconfined_u:object_r:user_fonts_cache_t:s0
+/home/[^/]+/\.fonts/auto(/.*)?	unconfined_u:object_r:user_fonts_cache_t:s0
+/home/[^/]+/\.macromedia(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.nv/GLCache(/.*)?	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.thumbnails(/.*)?	unconfined_u:object_r:thumb_home_t:s0
+/home/[^/]+/\.ansible/cp/.*	-s	unconfined_u:object_r:ssh_home_t:s0
+/home/[^/]+/missfont\.log.*	unconfined_u:object_r:thumb_home_t:s0
+/home/[^/]+/\.cache/dconf(/.*)?	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.cache/wocky(/.*)?	unconfined_u:object_r:telepathy_gabble_cache_home_t:s0
+/home/[^/]+/\.esmtp_queue(/.*)?	unconfined_u:object_r:mail_home_rw_t:s0
+/home/[^/]+/\.local/share(/.*)?	unconfined_u:object_r:data_home_t:s0
+/home/[^/]+/\.texlive2012(/.*)?	unconfined_u:object_r:texlive_home_t:s0
+/home/[^/]+/\.texlive2013(/.*)?	unconfined_u:object_r:texlive_home_t:s0
+/home/[^/]+/\.texlive2014(/.*)?	unconfined_u:object_r:texlive_home_t:s0
+/home/[^/]+/\.thunderbird(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.ICEauthority.*	--	unconfined_u:object_r:iceauth_home_t:s0
+/home/[^/]+/\.fonts\.cache-.*	--	unconfined_u:object_r:user_fonts_cache_t:s0
+/home/[^/]+/\.config/pulse(/.*)?	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.gcjwebplugin(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.grl-podcasts(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.libvirt/qemu(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.polipo-cache(/.*)?	unconfined_u:object_r:polipo_cache_home_t:s0
+/home/[^/]+/\.spamassassin(/.*)?	unconfined_u:object_r:spamc_home_t:s0
+/home/[^/]+/\.cache/GLCache(/.*)?	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.cache/libvirt(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.cache/mozilla(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.icedteaplugin(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/zimbrauserdata(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.wayland-errors.*	--	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/VirtualMachines(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.cache/chromium(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.config/libvirt(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.xsession-errors.*	--	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/\.cache/telepathy(/.*)?	unconfined_u:object_r:telepathy_cache_home_t:s0
+/home/[^/]+/\.config/chromium(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.gnome2/keyrings(/.*)?	unconfined_u:object_r:gkeyringd_gnome_home_t:s0
+/home/[^/]+/\.local/share/icc(/.*)?	unconfined_u:object_r:icc_data_home_t:s0
+/home/[^/]+/\.mission-control(/.*)?	unconfined_u:object_r:telepathy_mission_control_home_t:s0
+/home/[^/]+/cxoffice/bin/wine.+	--	unconfined_u:object_r:wine_exec_t:s0
+/home/[^/]+/\.cache/gstreamer-.*	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.cache/thumbnails(/.*)?	unconfined_u:object_r:thumb_home_t:s0
+/home/[^/]+/\.juniper_networks(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.local/share/xorg(/.*)?	unconfined_u:object_r:xdm_home_t:s0
+/home/[^/]+/\.cache/gnome-boxes(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.cache/icedtea-web(/.*)?	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.local/share/fonts(/.*)?	unconfined_u:object_r:user_fonts_t:s0
+/home/[^/]+/\.cache/libvirt/qemu(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.telepathy-sunshine(/.*)?	unconfined_u:object_r:telepathy_sunshine_home_t:s0
+/home/[^/]+/VirtualMachines/isos(/.*)?	unconfined_u:object_r:virt_content_t:s0
+/home/[^/]+/\.cache/google-chrome(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.config/libvirt/qemu(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.config/systemd/user(/.*)?	unconfined_u:object_r:systemd_unit_file_t:s0
+/home/[^/]+/\.local/share/systemd(/.*)?	unconfined_u:object_r:systemd_home_t:s0
+/home/[^/]+/\.local/share/TpLogger(/.*)?	unconfined_u:object_r:telepathy_logger_data_home_t:s0
+/home/[^/]+/\.local/share/keyrings(/.*)?	unconfined_u:object_r:gkeyringd_gnome_home_t:s0
+/home/[^/]+/\.cache/libvirt-sandbox(/.*)?	unconfined_u:object_r:virt_home_t:s0
+/home/[^/]+/\.local/share/telepathy(/.*)?	unconfined_u:object_r:telepathy_data_home_t:s0
+/home/[^/]+/\.cache/telepathy/gabble(/.*)?	unconfined_u:object_r:telepathy_gabble_cache_home_t:s0
+/home/[^/]+/\.cache/telepathy/logger(/.*)?	unconfined_u:object_r:telepathy_logger_cache_home_t:s0
+/home/[^/]+/\.local/share/libvirt/boot(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.local/share/libvirt/images(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.cache/google-chrome-unstable(/.*)?	unconfined_u:object_r:chrome_sandbox_home_t:s0
+/home/[^/]+/\.cache/telepathy/avatars/gabble(/.*)?	unconfined_u:object_r:telepathy_gabble_cache_home_t:s0
+/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?	unconfined_u:object_r:svirt_home_t:s0
+/home/[^/]+/\.local/share/telepathy/mission-control(/.*)?	unconfined_u:object_r:telepathy_mission_control_data_home_t:s0
+/home/[^/]+/\.local/share/networkmanagement/certificates(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+/\.kde/share/apps/networkmanagement/certificates(/.*)?	unconfined_u:object_r:home_cert_t:s0
+/home/[^/]+	-d	unconfined_u:object_r:user_home_dir_t:s0
+/home/[^/]+	-l	unconfined_u:object_r:user_home_dir_t:s0
+/home/[^/]+/abc	--	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/tmp	-d	unconfined_u:object_r:user_tmp_t:s0
+/home/[^/]+/\.tmp	-d	unconfined_u:object_r:user_tmp_t:s0
+/home/[^/]+/\.mailrc	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/\.my\.cnf	--	unconfined_u:object_r:mysqld_home_t:s0
+/home/[^/]+/\.polipo	--	unconfined_u:object_r:polipo_config_home_t:s0
+/home/[^/]+/\.rhosts	--	unconfined_u:object_r:rlogind_home_t:s0
+/home/[^/]+/\.rlogin	--	unconfined_u:object_r:rlogind_home_t:s0
+/home/[^/]+/\.shosts	unconfined_u:object_r:ssh_home_t:s0
+/home/[^/]+/\.esmtprc	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/\.ircmotd	--	unconfined_u:object_r:irc_home_t:s0
+/home/[^/]+/\.k5login	--	unconfined_u:object_r:krb5_home_t:s0
+/home/[^/]+/\.k5users	--	unconfined_u:object_r:krb5_home_t:s0
+/home/[^/]+/\.manpath	--	unconfined_u:object_r:mandb_home_t:s0
+/home/[^/]+/\.asoundrc	--	unconfined_u:object_r:alsa_home_t:s0
+/home/[^/]+/\.esd_auth	--	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.screenrc	--	unconfined_u:object_r:screen_home_t:s0
+/home/[^/]+/\.cvsignore	--	unconfined_u:object_r:cvs_home_t:s0
+/home/[^/]+/\.hushlogin	--	unconfined_u:object_r:local_login_home_t:s0
+/home/[^/]+/\.tmux\.conf	--	unconfined_u:object_r:screen_home_t:s0
+/home/[^/]+/\.Xdefaults	unconfined_u:object_r:config_home_t:s0
+/home/[^/]+/\.fonts\.conf	--	unconfined_u:object_r:user_fonts_config_t:s0
+/home/[^/]+/\.procmailrc	--	unconfined_u:object_r:procmail_home_t:s0
+/home/[^/]+/dead\.letter	--	unconfined_u:object_r:mail_home_t:s0
+/home/[^/]+/mozilla\.pdf	--	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.fetchmailrc	--	unconfined_u:object_r:fetchmail_home_t:s0
+/home/[^/]+/\.pulse-cookie	--	unconfined_u:object_r:pulseaudio_home_t:s0
+/home/[^/]+/\.gnashpluginrc	unconfined_u:object_r:mozilla_home_t:s0
+/home/[^/]+/\.grl-bookmarks	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.gnupg/log-socket	unconfined_u:object_r:gpg_agent_tmp_t:s0
+/home/[^/]+/\.grl-metadata-store	unconfined_u:object_r:gstreamer_home_t:s0
+/home/[^/]+/\.google_authenticator	unconfined_u:object_r:auth_home_t:s0
+/home/[^/]+/\.cache/\.mc_connections	--	unconfined_u:object_r:telepathy_mission_control_cache_home_t:s0
+/home/[^/]+/\.google_authenticator~	unconfined_u:object_r:auth_home_t:s0
+/home/(.*/)?\.snapshots(/.*)?	system_u:object_r:snapperd_data_t:s0
+/home/a?quota\.(user|group)	--	system_u:object_r:quota_db_t:s0
+/home/lost\+found/.*	<<none>>
+/home	-d	system_u:object_r:home_root_t:s0
+/home	-l	system_u:object_r:home_root_t:s0
+/home/\-inst	-d	system_u:object_r:home_root_t:s0
+/home/\.journal	<<none>>
+/home/home-inst	-d	system_u:object_r:home_root_t:s0
+/home/lost\+found	-d	system_u:object_r:lost_found_t:s0
+/tmp/gconfd-[^/]+/.*	--	unconfined_u:object_r:gconf_tmp_t:s0
+/tmp/gconfd-[^/]+	-d	unconfined_u:object_r:user_tmp_t:s0
+/var/spool/cron/[^/]+	--	unconfined_u:object_r:user_cron_spool_t:s0

selinux/targeted/contexts/files/file_contexts.subs_dist

@@ -0,0 +1,19 @@
+/run /var/run
+/run/lock /var/lock
+/run/systemd/system /usr/lib/systemd/system
+/run/systemd/generator /usr/lib/systemd/system
+/run/systemd/generator.late /usr/lib/systemd/system
+/lib /usr/lib
+/lib64 /usr/lib
+/usr/lib64 /usr/lib
+/usr/local/lib64 /usr/lib
+/usr/local/lib32 /usr/lib
+/etc/systemd/system /usr/lib/systemd/system
+/var/lib/xguest/home /home
+/var/named/chroot/usr/lib64 /usr/lib
+/var/named/chroot/lib64 /usr/lib
+/home-inst            /home
+/home/home-inst            /home
+/var/roothome        /root
+/sbin                /usr/sbin
+/sysroot/tmp         /tmp

selinux/targeted/contexts/files/media

@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0

selinux/targeted/contexts/initrc_context

@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0

selinux/targeted/contexts/lxc_contexts

@@ -0,0 +1,7 @@
+process = "system_u:system_r:container_t:s0"
+content = "system_u:object_r:virt_var_lib_t:s0"
+file = "system_u:object_r:container_file_t:s0"
+ro_file="system_u:object_r:container_ro_file_t:s0"
+sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
+sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
+sandbox_lxc_process = "system_u:system_r:container_t:s0"

selinux/targeted/contexts/openssh_contexts

@@ -0,0 +1 @@
+privsep_preauth=sshd_net_t

selinux/targeted/contexts/removable_context

@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0

selinux/targeted/contexts/securetty_types

@@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t

selinux/targeted/contexts/sepgsql_contexts

@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MCS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0

selinux/targeted/contexts/snapperd_contexts

@@ -0,0 +1 @@
+snapperd_data = system_u:object_r:snapperd_data_t:s0

selinux/targeted/contexts/systemd_contexts

@@ -0,0 +1 @@
+runtime=system_u:object_r:systemd_runtime_unit_file_t:s0

selinux/targeted/contexts/userhelper_context

@@ -0,0 +1 @@
+system_u:system_r:unconfined_t:s0

selinux/targeted/contexts/users/guest_u

@@ -0,0 +1,8 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
+system_r:cockpit_session_t:s0		guest_r:guest_t:s0
+system_r:init_t:s0		guest_r:guest_t:s0

selinux/targeted/contexts/users/root

@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

selinux/targeted/contexts/users/staff_u

@@ -0,0 +1,12 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:cockpit_session_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:staff_t:s0 staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+system_r:init_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+

selinux/targeted/contexts/users/sysadm_u

@@ -0,0 +1,14 @@
+system_r:local_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	sysadm_r:sysadm_t:s0
+system_r:sshd_t:s0		sysadm_r:sysadm_t:s0
+system_r:cockpit_session_t:s0		sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		sysadm_r:sysadm_t:s0
+system_r:init_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0		sysadm_r:sysadm_t:s0
+system_r:initrc_su_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_t:s0		sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+

selinux/targeted/contexts/users/unconfined_u

@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:cockpit_session_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
+system_r:init_t:s0		unconfined_r:unconfined_t:s0

selinux/targeted/contexts/users/user_u

@@ -0,0 +1,10 @@
+system_r:init_t:s0	user_r:user_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:cockpit_session_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:user_t:s0 user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+

selinux/targeted/contexts/users/xguest_u

@@ -0,0 +1,9 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:cockpit_session_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+system_r:init_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0

selinux/targeted/contexts/virtual_domain_context

@@ -0,0 +1,2 @@
+system_u:system_r:svirt_t:s0
+system_u:system_r:svirt_tcg_t:s0

selinux/targeted/contexts/virtual_image_context

@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0

selinux/targeted/contexts/x_contexts

@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0