--- /dev/null
+
+/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+
+/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
+
+/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
+/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0)
+
+/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0)
+
+/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
+/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
+/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0)
+/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
+
+/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
--- /dev/null
+## <summary>Automated backup program.</summary>
+
+########################################
+## <summary>
+## Execute amrecover in the amanda_recover domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`amanda_domtrans_recover',`
+ gen_require(`
+ type amanda_recover_t, amanda_recover_exec_t;
+ ')
+
+ domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
+
+ allow $1 amanda_recover_t:fd use;
+ allow amanda_recover_t $1:fd use;
+ allow amanda_recover_t $1:fifo_file rw_file_perms;
+ allow amanda_recover_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute amrecover in the amanda_recover domain, and
+## allow the specified role the amanda_recover domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be allowed the amanda_recover domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the amanda_recover domain to use.
+## </param>
+#
+interface(`amanda_run_recover',`
+ gen_require(`
+ type amanda_recover_t;
+ ')
+
+ amanda_domtrans_recover($1)
+ role $2 types amanda_recover_t;
+ allow amanda_recover_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Search amanda library directories.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`amanda_search_lib',`
+ gen_require(`
+ type amanda_usr_lib_t;
+ ')
+
+ allow $1 amanda_usr_lib_t:dir search;
+ files_search_usr($1)
+')
--- /dev/null
+
+policy_module(amanda,1.0)
+
+#######################################
+#
+# Declarations
+#
+
+type amanda_t;
+type amanda_inetd_exec_t;
+inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+role system_r types amanda_t;
+
+type amanda_exec_t;
+domain_entry_file(amanda_t,amanda_exec_t)
+
+type amanda_log_t;
+logging_log_file(amanda_log_t)
+
+# type for amanda configurations files
+type amanda_config_t;
+files_type(amanda_config_t)
+
+# type for files in /usr/lib/amanda
+type amanda_usr_lib_t;
+files_type(amanda_usr_lib_t)
+
+# type for all files in /var/lib/amanda
+type amanda_var_lib_t;
+files_type(amanda_var_lib_t)
+
+# type for all files in /var/lib/amanda/gnutar-lists/
+type amanda_gnutarlists_t;
+files_type(amanda_gnutarlists_t)
+
+# type for user startable files
+type amanda_user_exec_t;
+files_type(amanda_user_exec_t)
+
+# type for same awk and other scripts
+type amanda_script_exec_t;
+files_type(amanda_script_exec_t)
+
+# type for the shell configuration files
+type amanda_shellconfig_t;
+files_type(amanda_shellconfig_t)
+
+type amanda_tmp_t;
+files_tmp_file(amanda_tmp_t)
+
+# type for /etc/amandates
+type amanda_amandates_t;
+files_type(amanda_amandates_t)
+
+# type for /etc/dumpdates
+type amanda_dumpdates_t;
+files_type(amanda_dumpdates_t)
+
+# type for amanda data
+type amanda_data_t;
+files_type(amanda_data_t)
+
+# type for amrecover
+type amanda_recover_t;
+type amanda_recover_exec_t;
+domain_type(amanda_recover_t)
+domain_entry_file(amanda_recover_t,amanda_recover_exec_t)
+role system_r types amanda_recover_t;
+
+# type for recover files ( restored data )
+type amanda_recover_dir_t;
+files_type(amanda_recover_dir_t)
+
+########################################
+#
+# Amanda local policy
+#
+
+allow amanda_t self:capability { chown dac_override setuid };
+allow amanda_t self:process { setpgid signal };
+allow amanda_t self:fifo_file { getattr read write ioctl lock };
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
+allow amanda_t self:tcp_socket create_stream_socket_perms;
+allow amanda_t self:udp_socket create_socket_perms;
+
+# access to amanda_amandates_t
+allow amanda_t amanda_amandates_t:file { getattr lock read write };
+
+# configuration files -> read only
+allow amanda_t amanda_config_t:file { getattr read };
+
+# access to amandas data structure
+allow amanda_t amanda_data_t:dir { read search write };
+allow amanda_t amanda_data_t:file { read write };
+
+# access to amanda_dumpdates_t
+allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
+
+can_exec(amanda_t,amanda_exec_t)
+
+# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
+allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
+allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
+
+allow amanda_t amanda_log_t:file create_file_perms;
+allow amanda_t amanda_log_t:dir rw_dir_perms;
+logging_create_log(amanda_t,amanda_log_t,{ file dir })
+
+allow amanda_t amanda_tmp_t:dir create_dir_perms;
+allow amanda_t amanda_tmp_t:file create_file_perms;
+files_create_tmp_files(amanda_t, amanda_tmp_t, { file dir })
+
+kernel_read_system_state(amanda_t)
+kernel_read_kernel_sysctl(amanda_t)
+kernel_dontaudit_getattr_unlabeled_file(amanda_t)
+
+corenet_tcp_sendrecv_all_if(amanda_t)
+corenet_udp_sendrecv_all_if(amanda_t)
+corenet_raw_sendrecv_all_if(amanda_t)
+corenet_tcp_sendrecv_all_nodes(amanda_t)
+corenet_udp_sendrecv_all_nodes(amanda_t)
+corenet_raw_sendrecv_all_nodes(amanda_t)
+corenet_tcp_bind_all_nodes(amanda_t)
+corenet_udp_bind_all_nodes(amanda_t)
+corenet_tcp_sendrecv_all_ports(amanda_t)
+corenet_udp_sendrecv_all_ports(amanda_t)
+
+dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_blk_files(amanda_t)
+
+fs_getattr_xattr_fs(amanda_t)
+fs_list_all(amanda_t)
+
+storage_raw_read_fixed_disk(amanda_t)
+
+files_read_etc_files(amanda_t)
+files_read_etc_runtime_files(amanda_t)
+files_list_all_dirs(amanda_t)
+files_read_all_files(amanda_t)
+files_read_all_symlinks(amanda_t)
+files_read_all_blk_nodes(amanda_t)
+files_read_all_chr_nodes(amanda_t)
+files_getattr_all_pipes(amanda_t)
+files_getattr_all_sockets(amanda_t)
+
+corecmd_exec_shell(amanda_t)
+corecmd_exec_sbin(amanda_t)
+corecmd_exec_bin(amanda_t)
+
+libs_use_ld_so(amanda_t)
+libs_use_shared_libs(amanda_t)
+
+sysnet_read_config(amanda_t)
+
+optional_policy(`authlogin.te',`
+ auth_read_shadow(amanda_t)
+')
+
+optional_policy(`logging.te',`
+ logging_send_syslog_msg(amanda_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(amanda_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(amanda_t)
+')
+
+########################################
+#
+# Amanda recover local policy
+
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
+allow amanda_recover_t self:udp_socket create_socket_perms;
+
+allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
+allow amanda_recover_t amanda_log_t:file manage_file_perms;
+allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
+
+# access to amanda_recover_dir_t
+allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
+allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
+allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
+allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
+allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
+userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file })
+
+allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
+allow amanda_recover_t amanda_tmp_t:file create_file_perms;
+allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
+allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
+allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
+files_create_tmp_files(amanda_recover_t,amanda_tmp_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_system_state(amanda_recover_t)
+kernel_read_kernel_sysctl(amanda_recover_t)
+
+corenet_tcp_sendrecv_all_if(amanda_recover_t)
+corenet_udp_sendrecv_all_if(amanda_recover_t)
+corenet_raw_sendrecv_all_if(amanda_recover_t)
+corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
+corenet_udp_sendrecv_all_nodes(amanda_recover_t)
+corenet_raw_sendrecv_all_nodes(amanda_recover_t)
+corenet_tcp_sendrecv_all_ports(amanda_recover_t)
+corenet_udp_sendrecv_all_ports(amanda_recover_t)
+corenet_tcp_bind_all_nodes(amanda_recover_t)
+corenet_udp_bind_all_nodes(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
+
+corecmd_exec_shell(amanda_recover_t)
+corecmd_exec_bin(amanda_recover_t)
+
+domain_use_wide_inherit_fd(amanda_recover_t)
+
+files_read_etc_files(amanda_recover_t)
+files_read_etc_runtime_files(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
+files_search_pids(amanda_recover_t)
+
+fstools_domtrans(amanda_t)
+
+libs_use_ld_so(amanda_recover_t)
+libs_use_shared_libs(amanda_recover_t)
+
+logging_search_logs(amanda_recover_t)
+
+miscfiles_read_localization(amanda_recover_t)
+
+sysnet_read_config(amanda_recover_t)
+
+userdom_search_sysadm_home_subdirs(amanda_recover_t)
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(amanda_recover_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(amanda_recover_t)
+')
--- /dev/null
+
+/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
+
+/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+
+/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
--- /dev/null
+## <summary>RADIUS authentication and accounting server.</summary>
+
+########################################
+## <summary>
+## Use radius over a UDP connection.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`radius_use',`
+ gen_require(`
+ type radius_t;
+ ')
+
+ allow $1 radiusd_t:udp_socket sendto;
+ allow radiusd_t $1:udp_socket recvfrom;
+
+ allow radiusd_t $1:udp_socket sendto;
+ allow $1 radiusd_t:udp_socket recvfrom;
+')
--- /dev/null
+
+policy_module(radius,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type radiusd_t;
+type radiusd_exec_t;
+init_daemon_domain(radiusd_t,radiusd_exec_t)
+
+type radiusd_etc_t; #, usercanread;
+files_type(radiusd_etc_t)
+
+type radiusd_log_t;
+logging_log_file(radiusd_log_t)
+
+type radiusd_var_run_t;
+files_pid_file(radiusd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+dontaudit radiusd_t self:capability sys_tty_config;
+allow radiusd_t self:process setsched;
+allow radiusd_t self:fifo_file rw_file_perms;
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t self:tcp_socket create_stream_socket_perms;
+allow radiusd_t self:udp_socket create_socket_perms;
+
+allow radiusd_t radiusd_etc_t:file r_file_perms;
+allow radiusd_t radiusd_etc_t:dir r_dir_perms;
+allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
+files_search_etc(radiusd_t)
+
+allow radiusd_t radiusd_log_t:file create_file_perms;
+allow radiusd_t radiusd_log_t:dir { create rw_dir_perms };
+logging_create_log(radiusd_t,radiusd_log_t,{ file dir })
+
+allow radiusd_t radiusd_var_run_t:file create_file_perms;
+allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
+files_create_pid(radiusd_t,radiusd_var_run_t)
+
+kernel_read_kernel_sysctl(radiusd_t)
+kernel_read_system_state(radiusd_t)
+
+corenet_tcp_sendrecv_all_if(radiusd_t)
+corenet_udp_sendrecv_all_if(radiusd_t)
+corenet_raw_sendrecv_all_if(radiusd_t)
+corenet_tcp_sendrecv_all_nodes(radiusd_t)
+corenet_udp_sendrecv_all_nodes(radiusd_t)
+corenet_raw_sendrecv_all_nodes(radiusd_t)
+corenet_tcp_bind_all_nodes(radiusd_t)
+corenet_udp_bind_all_nodes(radiusd_t)
+corenet_tcp_sendrecv_all_ports(radiusd_t)
+corenet_udp_sendrecv_all_ports(radiusd_t)
+corenet_udp_bind_radacct_port(radiusd_t)
+corenet_udp_bind_radius_port(radiusd_t)
+# for RADIUS proxy port
+corenet_udp_bind_generic_port(radiusd_t)
+
+dev_read_sysfs(radiusd_t)
+
+fs_getattr_all_fs(radiusd_t)
+fs_search_auto_mountpoints(radiusd_t)
+
+term_dontaudit_use_console(radiusd_t)
+
+auth_read_shadow(radiusd_t)
+
+corecmd_exec_bin(radiusd_t)
+corecmd_exec_shell(radiusd_t)
+
+domain_use_wide_inherit_fd(radiusd_t)
+
+files_read_usr_files(radiusd_t)
+files_read_etc_files(radiusd_t)
+files_read_etc_runtime_files(radiusd_t)
+
+init_use_fd(radiusd_t)
+init_use_script_pty(radiusd_t)
+
+libs_use_ld_so(radiusd_t)
+libs_use_shared_libs(radiusd_t)
+libs_exec_lib_files(radiusd_t)
+
+logging_send_syslog_msg(radiusd_t)
+
+miscfiles_read_localization(radiusd_t)
+
+sysnet_read_config(radiusd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(radiusd_t)
+userdom_dontaudit_search_sysadm_home_dir(radiusd_t)
+userdom_dontaudit_getattr_sysadm_home_dir(radiusd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(radiusd_t)
+ term_dontaudit_use_generic_pty(radiusd_t)
+ files_dontaudit_read_root_file(radiusd_t)
+')
+
+optional_policy(`cron.te',`
+ cron_system_entry(radiusd_t,radiusd_exec_t)
+')
+
+optional_policy(`logrotate.te', `
+ logrotate_exec(radiusd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(radiusd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(radiusd_t)
+')
+
+optional_policy(`snmp.te',`
+ snmp_use(radiusd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(radiusd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(radiusd_t)
+')
+') dnl end TODO
## <summary>Simple network management protocol services</summary>
+
+########################################
+## <summary>
+## Use snmp over a TCP connection.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`snmp_use',`
+ gen_require(`
+ type snmpd_t;
+ ')
+
+ allow $1 snmpd_t:tcp_socket { connectto recvfrom };
+ allow snmpd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
kernel_read_network_state(snmpd_t)
+kernel_tcp_recvfrom(snmpd_t)
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_raw_sendrecv_all_if(snmpd_t)
## home directory.
## </summary>
## <param name="domain">
-## Domain to not audit.
+## Domain allowed access.
## </param>
#
interface(`userdom_getattr_sysadm_home_dir',`
allow $1 sysadm_home_dir_t:dir getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the sysadm users
+## home directory.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_getattr_sysadm_home_dir',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir getattr;
+')
+
########################################
## <summary>
## Search the sysadm users home directory.
quota_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`radius.te',`
+ radius_use(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
projects / people / stevee / selinux-policy.git / commitdiff
