updated package selinux-policy

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/Makefile.devel

@@ -0,0 +1,22 @@
+# installation paths
+SHAREDIR := /usr/share/selinux
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+ifeq ($(MLSENABLED),)
+	MLSENABLED := 1
+endif
+
+ifeq ($(MLSENABLED),1)
+	NTYPE = mcs
+endif
+
+ifeq ($(NAME),mls)
+	NTYPE = mls
+endif
+
+TYPE ?= $(NTYPE)
+
+HEADERDIR := $(SHAREDIR)/devel/include
+include $(HEADERDIR)/Makefile

SOURCES/booleans-minimum.conf

@@ -0,0 +1,252 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+allow_execstack = true
+
+# Allow ftpd to read cifs directories.
+# 
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+# 
+allow_ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+# 
+allow_httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Allow zebra to write it own configuration files
+# 
+allow_zebra_write_config = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+# Allow ftp to read and write files in the user home directories
+# 
+ftp_home_dir = false
+
+#
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to send dbus messages to avahi
+httpd_dbus_avahi = true
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Support NFS home directories
+# 
+use_nfs_home_dirs = true
+
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# allow host key based authentication
+# 
+allow_ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+# 
+read_untrusted_content = false
+
+# Allow spamd to write to users homedirs
+# 
+spamd_enable_home_dirs = false
+
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+# 
+user_tcp_server = false
+
+# Allow w to display everyone
+# 
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+# 
+write_untrusted_content = false
+
+# Allow all domains to talk to ttys
+# 
+allow_daemons_use_tty = false
+
+# Allow login domains to polyinstatiate directories
+# 
+allow_polyinstantiation = false
+
+# Allow all domains to dump core
+# 
+allow_daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+# 
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+# 
+samba_run_unconfined = false
+
+# Allows XServer to execute writable memory
+# 
+allow_xserver_execmem = false
+
+# disallow guest accounts to execute files that they can create 
+# 
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=false
+
+# Allow postfix locat to write to mail spool
+# 
+allow_postfix_local_write_mail_spool=false
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile=true
+
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true
+
+# System uses init upstart program
+# 
+init_upstart = true
+
+# Allow mount to mount any file/dir
+# 
+allow_mount_anyfile = true

SOURCES/booleans-mls.conf

@@ -0,0 +1,6 @@
+kerberos_enabled = true
+mount_anyfile = true
+polyinstantiation_enabled = true
+ftpd_is_daemon = true
+selinuxuser_ping = true
+xserver_object_manager = true

SOURCES/booleans-targeted.conf

@@ -0,0 +1,24 @@
+gssd_read_tmp = true
+httpd_builtin_scripting = true
+httpd_enable_cgi = true
+httpd_graceful_shutdown = true
+kerberos_enabled = true
+mount_anyfile = true
+nfs_export_all_ro = true
+nfs_export_all_rw = true
+nscd_use_shm = true
+openvpn_enable_homedirs = true
+postfix_local_write_mail_spool=true
+pppd_can_insmod = false
+privoxy_connect_any = true
+selinuxuser_direct_dri_enabled = true
+selinuxuser_execmem = true
+selinuxuser_execmod = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+squid_connect_any = true
+telepathy_tcp_connect_generic_network_ports=true
+unconfined_chrome_sandbox_transition=true
+unconfined_mozilla_plugin_transition=true
+xguest_exec_content = true

SOURCES/booleans.subs_dist

@@ -0,0 +1,59 @@
+allow_auditadm_exec_content auditadm_exec_content
+allow_console_login login_console_enabled
+allow_cvs_read_shadow cvs_read_shadow
+allow_daemons_dump_core daemons_dump_core
+allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
+allow_daemons_use_tty daemons_use_tty
+allow_domain_fd_use domain_fd_use
+allow_execheap selinuxuser_execheap
+allow_execmod selinuxuser_execmod
+allow_execstack selinuxuser_execstack
+allow_ftpd_anon_write ftpd_anon_write
+allow_ftpd_full_access ftpd_full_access
+allow_ftpd_use_cifs ftpd_use_cifs
+allow_ftpd_use_nfs ftpd_use_nfs
+allow_gssd_read_tmp gssd_read_tmp
+allow_guest_exec_content guest_exec_content
+allow_httpd_anon_write httpd_anon_write
+allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
+allow_httpd_mod_auth_pam httpd_mod_auth_pam
+allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
+allow_kerberos kerberos_enabled
+allow_mplayer_execstack mplayer_execstack
+allow_mount_anyfile mount_anyfile
+allow_nfsd_anon_write nfsd_anon_write
+allow_polyinstantiation polyinstantiation_enabled
+allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
+allow_rsync_anon_write rsync_anon_write
+allow_saslauthd_read_shadow saslauthd_read_shadow
+allow_secadm_exec_content secadm_exec_content
+allow_smbd_anon_write smbd_anon_write
+allow_ssh_keysign ssh_keysign
+allow_staff_exec_content staff_exec_content
+allow_sysadm_exec_content sysadm_exec_content
+allow_user_exec_content user_exec_content
+allow_user_mysql_connect selinuxuser_mysql_connect_enabled
+allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
+allow_write_xshm xserver_clients_write_xshm
+allow_xguest_exec_content xguest_exec_content
+allow_xserver_execmem xserver_execmem
+allow_ypbind nis_enabled
+allow_zebra_write_config zebra_write_config
+user_direct_dri selinuxuser_direct_dri_enabled
+user_ping selinuxuser_ping
+user_share_music selinuxuser_share_music
+user_tcp_server selinuxuser_tcp_server
+user_rw_noexattrfile selinuxuser_rw_noexattrfile
+sepgsql_enable_pitr_implementation postgresql_can_rsync
+sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
+sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
+sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
+clamd_use_jit antivirus_use_jit
+amavis_use_jit antivirus_use_jit
+logwatch_can_sendmail logwatch_can_network_connect_mail
+puppet_manage_all_files puppetagent_manage_all_files
+condor_domain_can_network_connect condor_tcp_network_connect
+icecast_connect_any icecast_use_any_tcp_ports
+named_bind_http_port named_tcp_bind_http_port
+puppet_manage_all_files puppetagent_manage_all_files 
+virt_sandbox_use_nfs virt_use_nfs

SOURCES/customizable_types

@@ -0,0 +1,13 @@
+sandbox_file_t
+svirt_image_t
+svirt_home_t
+svirt_sandbox_file_t
+virt_content_t
+httpd_user_htaccess_t
+httpd_user_script_exec_t
+httpd_user_rw_content_t
+httpd_user_ra_content_t
+httpd_user_content_t
+git_session_content_t
+home_bin_t
+user_tty_device_t

SOURCES/file_contexts.subs_dist

@@ -0,0 +1,16 @@
+/run /var/run
+/run/lock /var/lock
+/run/systemd/system /usr/lib/systemd/system
+/run/systemd/generator /usr/lib/systemd/system
+/lib /usr/lib
+/lib64 /usr/lib
+/usr/lib64 /usr/lib
+/usr/local/lib64 /usr/lib
+/usr/local/lib32 /usr/lib
+/etc/systemd/system /usr/lib/systemd/system
+/var/lib/xguest/home /home
+/var/named/chroot/usr/lib64 /usr/lib
+/var/named/chroot/lib64 /usr/lib
+/var/home            /home
+/var/roothome        /root
+/sbin                /usr/sbin

SOURCES/modules-mls-base.conf

@@ -0,0 +1,380 @@
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+# 
+corecommands = base
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+# 
+kernel = base
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+# 
+mcs = base
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+# 
+# 
+ubac = base
+
+# Layer: kernel
+# Module: unlabelednet
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+# 
+auditadm = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+# 
+logadm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+# 
+secadm = module
+
+# Layer:role
+# Module: staff
+#
+# admin account 
+# 
+staff = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
+# Layer:role
+# Module: sysadm
+#
+# System Administrator
+# 
+sysadm = module
+
+# Layer: role
+# Module: unprivuser
+#
+# Minimally privs guest account on tty logins
+# 
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+# 
+xserver = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+# 
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module

SOURCES/modules-targeted-base.conf

@@ -0,0 +1,394 @@
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+# 
+kernel = base
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+# 
+mcs = base
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+# 
+# 
+ubac = base
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+# 
+auditadm = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+# 
+logadm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+# 
+secadm = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
+# Module: staff
+#
+# admin account 
+# 
+staff = module
+
+# Layer:role
+# Module: sysadm
+#
+# System Administrator
+# 
+sysadm = module
+
+# Layer: role
+# Module: unconfineduser
+#
+# The unconfined user domain.
+# 
+unconfineduser = module
+
+# Layer: role
+# Module: unprivuser
+#
+# Minimally privs guest account on tty logins
+# 
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+# 
+xserver = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+# 
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = module
+

SOURCES/permissivedomains.cil

@@ -0,0 +1,25 @@
+(roleattributeset cil_gen_require system_r)
+(optional permissivedomains_optional_2
+    (typeattributeset cil_gen_require blkmapd_t)
+    (typepermissive blkmapd_t)
+)
+(optional permissivedomains_optional_3
+    (typeattributeset cil_gen_require hsqldb_t)
+    (typepermissive hsqldb_t)
+)
+(optional permissivedomains_optional_4
+    (typeattributeset cil_gen_require ipmievd_t)
+    (typepermissive ipmievd_t)
+)
+(optional permissivedomains_optional_5
+    (typeattributeset cil_gen_require targetd_t)
+    (typepermissive targetd_t)
+)
+(optional permissivedomains_optional_6
+    (typeattributeset cil_gen_require systemd_hwdb_t)
+    (typepermissive systemd_hwdb_t)
+)
+(optional permissivedomains_optional_7
+    (typeattributeset cil_gen_require sanlk_resetd_t)
+    (typepermissive sanlk_resetd_t)
+)

SOURCES/policy-rhel-7.4.z-contrib.patch

@@ -0,0 +1,211 @@
+diff --git a/certmonger.te b/certmonger.te
+index 0803529e4a..0585431e14 100644
+--- a/certmonger.te
++++ b/certmonger.te
+@@ -144,6 +144,7 @@ optional_policy(`
+ optional_policy(`
+ 	pki_rw_tomcat_cert(certmonger_t)
+ 	pki_read_tomcat_lib_files(certmonger_t)
++    pki_tomcat_systemctl(certmonger_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/keepalived.te b/keepalived.te
+index c4f0c3237b..4b5c0e4ecf 100644
+--- a/keepalived.te
++++ b/keepalived.te
+@@ -24,7 +24,7 @@ application_executable_file(keepalived_unconfined_script_exec_t)
+ #
+ 
+ allow keepalived_t self:capability { net_admin net_raw kill };
+-allow keepalived_t self:process { signal_perms };
++allow keepalived_t self:process { signal_perms setpgid };
+ allow keepalived_t self:netlink_socket create_socket_perms;
+ allow keepalived_t self:netlink_generic_socket create_socket_perms;
+ allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
+diff --git a/lldpad.te b/lldpad.te
+index 42e5578f22..3399d597a8 100644
+--- a/lldpad.te
++++ b/lldpad.te
+@@ -64,3 +64,7 @@ optional_policy(`
+ optional_policy(`
+     networkmanager_dgram_send(lldpad_t)
+ ')
++
++optional_policy(`
++    virt_dgram_send(lldpad_t)
++')
+diff --git a/openvswitch.te b/openvswitch.te
+index d37f970208..1dc8a63a6b 100644
+--- a/openvswitch.te
++++ b/openvswitch.te
+@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
+ # openvswitch local policy
+ #
+ 
+-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
++allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+ allow openvswitch_t self:capability2 block_suspend;
+ allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
+ allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+@@ -41,6 +41,7 @@ allow openvswitch_t self:tcp_socket create_stream_socket_perms;
+ allow openvswitch_t self:netlink_socket create_socket_perms;
+ allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow openvswitch_t self:netlink_generic_socket create_socket_perms;
++allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+ 
+ can_exec(openvswitch_t, openvswitch_exec_t)
+ 
+@@ -69,6 +70,7 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
+ 
++kernel_load_module(openvswitch_t)
+ kernel_read_network_state(openvswitch_t)
+ kernel_read_system_state(openvswitch_t)
+ kernel_request_load_module(openvswitch_t)
+@@ -87,6 +89,8 @@ corecmd_exec_shell(openvswitch_t)
+ dev_read_rand(openvswitch_t)
+ dev_read_urand(openvswitch_t)
+ dev_read_sysfs(openvswitch_t)
++dev_rw_vfio_dev(openvswitch_t)
++corenet_rw_tun_tap_dev(openvswitch_t)
+ 
+ domain_use_interactive_fds(openvswitch_t)
+ 
+@@ -111,6 +115,10 @@ modutils_read_module_deps(openvswitch_t)
+ 
+ sysnet_dns_name_resolve(openvswitch_t)
+ 
++logging_send_audit_msgs(openvswitch_t)
++
++write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
++
+ optional_policy(`
+     hostname_exec(openvswitch_t)
+ ')
+diff --git a/pki.if b/pki.if
+index f18fcc68fc..f69ae02984 100644
+--- a/pki.if
++++ b/pki.if
+@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
+ 	files_search_pids($1)
+ 	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
+ ')
++
++########################################
++## <summary>
++##	Execute pki in the pkit_tomcat_t domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`pki_tomcat_systemctl',`
++	gen_require(`
++		type pki_tomcat_t;
++		type pki_tomcat_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 pki_tomcat_unit_file_t:file read_file_perms;
++	allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, pki_tomcat_t)
++')
+diff --git a/rhcs.if b/rhcs.if
+index 59e5d7e3b7..145d67f2a0 100644
+--- a/rhcs.if
++++ b/rhcs.if
+@@ -957,3 +957,22 @@ interface(`rhcs_start_haproxy_services',`
+ 	systemd_exec_systemctl($1)
+ 	allow $1 haproxy_unit_file_t:service {status start};
+ ')
++
++########################################
++## <summary>
++##	Create log files with a named file
++##	type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rhcs_named_filetrans_log_dir',`
++	gen_require(`
++		type var_log_t;
++	')
++
++	logging_log_named_filetrans($1, var_log_t, dir, "bundles")
++')
+diff --git a/rhcs.te b/rhcs.te
+index a95c73dc7e..a5aec03a82 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -319,6 +319,10 @@ optional_policy(`
+     ricci_dontaudit_rw_modcluster_pipes(cluster_t)
+ ')
+ 
++optional_policy(`
++    rhcs_named_filetrans_log_dir(cluster_t)
++')
++
+ optional_policy(`
+     rpc_systemctl_nfsd(cluster_t)
+     rpc_systemctl_rpcd(cluster_t)
+diff --git a/tomcat.te b/tomcat.te
+index 97bdd60c90..e35ae6b3d9 100644
+--- a/tomcat.te
++++ b/tomcat.te
+@@ -51,6 +51,9 @@ optional_policy(`
+ # tomcat domain policy
+ #
+ 
++allow tomcat_t self:capability { dac_override setuid kill };
++
++allow tomcat_t self:process { setcap signal signull };
+ allow tomcat_domain self:fifo_file rw_fifo_file_perms;
+ allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
+ 
+@@ -82,6 +85,7 @@ corenet_tcp_connect_amqp_port(tomcat_domain)
+ corenet_tcp_connect_oracle_port(tomcat_domain)
+ corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
+ corenet_tcp_connect_unreserved_ports(tomcat_domain)
++corenet_tcp_connect_mssql_port(tomcat_domain)
+ 
+ dev_read_rand(tomcat_domain)
+ dev_read_urand(tomcat_domain)
+diff --git a/virt.if b/virt.if
+index 1d17889f38..c6792a5a37 100644
+--- a/virt.if
++++ b/virt.if
+@@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
+ 	dontaudit $1 virtd_t:dir search_dir_perms;
+ 	dontaudit $1 virtd_t:file read_file_perms;
+ 	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
++')
++
++#######################################
++## <summary>
++##	Send to libvirt with a unix dgram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_dgram_send',`
++	gen_require(`
++		type virtd_t, virt_var_run_t;
++	')
++
++	files_search_pids($1)
++	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+ ')
+\ No newline at end of file

SOURCES/rpm.macros

@@ -0,0 +1,142 @@
+# Copyright (C) 2016  Petr Lautrbach
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# RPM macros for packages installing SELinux modules
+
+%_selinux_policy_version SELINUXPOLICYVERSION
+
+%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
+%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
+
+%_file_custom_defined_booleans %{_sysconfdir}/selinux/${_policytype}/rpmbooleans.custom
+%_file_custom_defined_booleans_tmp %{_sysconfdir}/selinux/${_policytype}/rpmbooleans.custom.tmp
+
+# %selinux_modules_install [-s <policytype>] module [module]...
+%selinux_modules_install("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+%{_sbindir}/semodule -n -s ${_policytype} -X 200 -i %* \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  %{_sbindir}/load_policy \
+fi \
+%{nil}
+
+# %selinux_modules_uninstall [-s <policytype>] module [module]...
+%selinux_modules_uninstall("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+if [ $1 -eq 0 ]; then \
+  %{_sbindir}/semodule -n -X 200 -r %* &> /dev/null || : \
+  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    %{_sbindir}/load_policy \
+  fi \
+fi \
+%{nil}
+
+# %selinux_relabel_pre [-s <policytype>]
+%selinux_relabel_pre("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
+fi \
+%{nil}
+
+
+# %selinux_relabel_post [-s <policytype>]
+%selinux_relabel_post("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+   if [ -f %{_file_context_file_pre} ]; then \
+     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore \
+     rm -f %{_file_context_file_pre} \
+   fi \
+fi \
+%{nil}
+
+# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
+%selinux_set_booleans("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+LOCAL_MODIFICATIONS=$(semanage boolean -E) \
+if [ ! -f %_file_custom_defined_booleans ]; then \
+    echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
+fi \
+semanage_import='' \
+for boolean in %*; do \
+    boolean_name=${boolean%=*} \
+    boolean_value=${boolean#*=} \
+    boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
+    if [ -n "$boolean_local_string" ]; then \
+        semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
+        boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
+        if [ -n "$boolean_customized_string" ]; then \
+            /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
+        else \
+            /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
+        fi \
+    else \
+        semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
+        boolean_default_value=$(semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
+        /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
+    fi \
+done; \
+if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+else \
+    echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
+fi \
+%{nil}
+
+# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
+%selinux_unset_booleans("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+semanage_import='' \
+for boolean in %*; do \
+    boolean_name=${boolean%=*} \
+    boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
+    if [ -n "$boolean_customized_string" ]; then \
+        awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
+        if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
+            semanage_import="${semanage_import}\\n${boolean_customized_string}" \
+        fi \
+    fi \
+done; \
+if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+else \
+    echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
+fi \
+%{nil}

SOURCES/securetty_types-minimum

@@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t

SOURCES/securetty_types-mls

@@ -0,0 +1,6 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t
+auditadm_tty_device_t
+secureadm_tty_device_t

SOURCES/securetty_types-targeted

@@ -0,0 +1,4 @@
+console_device_t
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t

SOURCES/selinux-policy-migrate-local-changes.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+#===============================================================================
+#
+#          FILE: selinux-policy-migrate-local-changes.sh
+# 
+#         USAGE: ./selinux-policy-migrate-local-changes.sh <POLICYTYPE>
+# 
+#   DESCRIPTION: This script migrates local changes from pre-2.4 SELinux modules
+#                store structure to the new structure
+# 
+#        AUTHOR: Petr Lautrbach <plautrba@redhat.com>
+#===============================================================================
+
+if [ ! -f /etc/selinux/config ]; then
+    SELINUXTYPE=none
+else
+    source /etc/selinux/config
+fi
+
+REBUILD=0
+MIGRATE_SELINUXTYPE=$1
+
+for local in booleans.local file_contexts.local ports.local users_extra.local users.local; do
+    if [ -e /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/$local ]; then
+        REBUILD=1
+        cp -v --preserve=mode,ownership,timestamps,links /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/$local /etc/selinux/$MIGRATE_SELINUXTYPE/active/$local
+    fi
+done
+if [ -e /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/seusers ]; then
+    REBUILD=1
+    cp -v --preserve=mode,ownership,timestamps,links /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/seusers /etc/selinux/$MIGRATE_SELINUXTYPE/active/seusers.local
+fi
+
+INSTALL_MODULES=""
+for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*disabled 2> /dev/null`; do
+    module=`basename $i | sed 's/\.pp\.disabled$//'`
+    if [ $module == "pkcsslotd" ] || [ $module == "vbetool" ] || [ $module == "ctdbd" ] || [ $module == "docker" ] || [ $module == "gear" ]; then
+        continue
+    fi
+    if [ -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then
+        touch /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/disabled/$module
+    fi
+done
+for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*.pp 2> /dev/null`; do
+    module=`basename $i | sed 's/\.pp$//'`
+    if [ $module == "pkcsslotd" ] || [ $module == "vbetool" ] || [ $module == "ctdbd" ] || [ $module == "docker" ] || [ $module == "gear" ]; then
+        continue
+    fi
+    if [ ! -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then
+        INSTALL_MODULES="${INSTALL_MODULES} $i"
+    fi
+done
+if [ -n "$INSTALL_MODULES" ]; then
+    semodule -s $MIGRATE_SELINUXTYPE -n -X 400 -i $INSTALL_MODULES
+    REBUILD=1
+fi
+
+cat > /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/README.migrated <<EOF
+Your old modules store and local changes were migrated to the new structure in
+in the following directory:
+
+/etc/selinux/$MIGRATE_SELINUXTYPE/active
+
+WARNING: Do not remove this file or remove /etc/selinux/$MIGRATE_SELINUXTYPE/modules
+completely if you are confident that you don't need old files anymore.
+EOF
+
+if [ ${DONT_REBUILD:-0} = 0 -a $REBUILD = 1 ]; then
+    semodule -B -n -s $MIGRATE_SELINUXTYPE
+    if [ "$MIGRATE_SELINUXTYPE" = "$SELINUXTYPE" ] && selinuxenabled; then
+        load_policy
+        if [ -x /usr/sbin/semanage ]; then
+            /usr/sbin/semanage export | /usr/sbin/semanage import
+        fi
+    fi
+fi

SOURCES/selinux-policy-migrate-local-changes@.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Migrate local SELinux policy changes from the old store structure to the new structure
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=selinux
+ConditionPathExists=/etc/selinux/%I/modules
+ConditionPathExists=!/etc/selinux/%I/modules/active/README.migrated
+
+[Service]
+ExecStart=/usr/libexec/selinux/selinux-policy-migrate-local-changes.sh %I
+Type=oneshot
+TimeoutSec=0
+RemainAfterExit=yes
+StandardInput=tty

SOURCES/selinux-policy.conf

@@ -0,0 +1,4 @@
+z /sys/devices/system/cpu/online - - -
+Z /sys/class/net - - -
+z /sys/kernel/uevent_helper - - -
+w /sys/fs/selinux/checkreqprot - - - - 0

SOURCES/setrans-minimum.conf

@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh

SOURCES/setrans-mls.conf

@@ -0,0 +1,52 @@
+#
+# Multi-Level Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be labeled with one of 16 levels and be categorized with 0-1023 
+# categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Users can modify this table to translate the MLS labels for different purpose.
+#
+# Assumptions: using below MLS labels.
+#  SystemLow
+#  SystemHigh
+#  Unclassified 
+#  Secret with compartments A and B.
+# 
+# SystemLow and SystemHigh
+s0=SystemLow
+s15:c0.c1023=SystemHigh
+s0-s15:c0.c1023=SystemLow-SystemHigh
+
+# Unclassified level
+s1=Unclassified
+
+# Secret level with compartments
+s2=Secret
+s2:c0=A
+s2:c1=B
+
+# ranges for Unclassified
+s0-s1=SystemLow-Unclassified
+s1-s2=Unclassified-Secret
+s1-s15:c0.c1023=Unclassified-SystemHigh
+
+# ranges for Secret with compartments
+s0-s2=SystemLow-Secret
+s0-s2:c0=SystemLow-Secret:A
+s0-s2:c1=SystemLow-Secret:B
+s0-s2:c0,c1=SystemLow-Secret:AB
+s1-s2:c0=Unclassified-Secret:A
+s1-s2:c1=Unclassified-Secret:B
+s1-s2:c0,c1=Unclassified-Secret:AB
+s2-s2:c0=Secret-Secret:A
+s2-s2:c1=Secret-Secret:B
+s2-s2:c0,c1=Secret-Secret:AB
+s2-s15:c0.c1023=Secret-SystemHigh
+s2:c0-s2:c0,c1=Secret:A-Secret:AB
+s2:c0-s15:c0.c1023=Secret:A-SystemHigh
+s2:c1-s2:c0,c1=Secret:B-Secret:AB
+s2:c1-s15:c0.c1023=Secret:B-SystemHigh
+s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

SOURCES/setrans-targeted.conf

@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh

SOURCES/users-minimum

@@ -0,0 +1,38 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix wil not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-mls

@@ -0,0 +1,38 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix wil not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-targeted

@@ -0,0 +1,38 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix wil not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)