Pushing 2.20120215 (current version)

author: Sven Vermeulen <sven.vermeulen@siphos.be> 2012-04-21 20:07:46 +0200
committer: Sven Vermeulen <sven.vermeulen@siphos.be> 2012-04-21 20:07:46 +0200
commit: 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch)
tree: cae07463edd5b609a97513e00d63e1bd410cc8bb /config
parent: Initial commit (diff)
download: hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip
62 files changed, 739 insertions, 0 deletions
diff --git a/config/appconfig-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts
new file mode 100644
index 000000000..116e684f9
--- /dev/null
+++ b/config/appconfig-mcs/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
new file mode 100644
index 000000000..801d97b6f
--- /dev/null
+++ b/config/appconfig-mcs/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/default_type b/config/appconfig-mcs/default_type
new file mode 100644
index 000000000..33528d61f
--- /dev/null
+++ b/config/appconfig-mcs/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
new file mode 100644
index 000000000..999abd9a3
--- /dev/null
+++ b/config/appconfig-mcs/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts
new file mode 100644
index 000000000..90e526273
--- /dev/null
+++ b/config/appconfig-mcs/guest_u_default_contexts
@@ -0,0 +1,6 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:initrc_su_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mcs/initrc_context b/config/appconfig-mcs/initrc_context
new file mode 100644
index 000000000..30ab971d2
--- /dev/null
+++ b/config/appconfig-mcs/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0
diff --git a/config/appconfig-mcs/media b/config/appconfig-mcs/media
new file mode 100644
index 000000000..81f3463e0
--- /dev/null
+++ b/config/appconfig-mcs/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mcs/removable_context b/config/appconfig-mcs/removable_context
new file mode 100644
index 000000000..7fcc56e43
--- /dev/null
+++ b/config/appconfig-mcs/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
new file mode 100644
index 000000000..7805778a2
--- /dev/null
+++ b/config/appconfig-mcs/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/securetty_types b/config/appconfig-mcs/securetty_types
new file mode 100644
index 000000000..527d8358e
--- /dev/null
+++ b/config/appconfig-mcs/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mcs/sepgsql_contexts b/config/appconfig-mcs/sepgsql_contexts
new file mode 100644
index 000000000..f8e9b1cd3
--- /dev/null
+++ b/config/appconfig-mcs/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MCS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
new file mode 100644
index 000000000..dc5f1e42e
--- /dev/null
+++ b/config/appconfig-mcs/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mcs_systemhigh
+root:root:s0-mcs_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
new file mode 100644
index 000000000..881a292e3
--- /dev/null
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
new file mode 100644
index 000000000..106e093d8
--- /dev/null
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
new file mode 100644
index 000000000..cacbc939f
--- /dev/null
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+
diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context
new file mode 100644
index 000000000..dc37a69bb
--- /dev/null
+++ b/config/appconfig-mcs/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
new file mode 100644
index 000000000..d387b428b
--- /dev/null
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
new file mode 100644
index 000000000..8ab1e27ea
--- /dev/null
+++ b/config/appconfig-mcs/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mcs/x_contexts b/config/appconfig-mcs/x_contexts
new file mode 100644
index 000000000..0b3204435
--- /dev/null
+++ b/config/appconfig-mcs/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts
new file mode 100644
index 000000000..574363b57
--- /dev/null
+++ b/config/appconfig-mcs/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0
diff --git a/config/appconfig-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts
new file mode 100644
index 000000000..116e684f9
--- /dev/null
+++ b/config/appconfig-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
new file mode 100644
index 000000000..801d97b6f
--- /dev/null
+++ b/config/appconfig-mls/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_type b/config/appconfig-mls/default_type
new file mode 100644
index 000000000..33528d61f
--- /dev/null
+++ b/config/appconfig-mls/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mls/failsafe_context b/config/appconfig-mls/failsafe_context
new file mode 100644
index 000000000..999abd9a3
--- /dev/null
+++ b/config/appconfig-mls/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 000000000..e2106efae
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mls/initrc_context b/config/appconfig-mls/initrc_context
new file mode 100644
index 000000000..4598f92e8
--- /dev/null
+++ b/config/appconfig-mls/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-mls/media b/config/appconfig-mls/media
new file mode 100644
index 000000000..81f3463e0
--- /dev/null
+++ b/config/appconfig-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mls/removable_context b/config/appconfig-mls/removable_context
new file mode 100644
index 000000000..7fcc56e43
--- /dev/null
+++ b/config/appconfig-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
new file mode 100644
index 000000000..7805778a2
--- /dev/null
+++ b/config/appconfig-mls/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/securetty_types b/config/appconfig-mls/securetty_types
new file mode 100644
index 000000000..527d8358e
--- /dev/null
+++ b/config/appconfig-mls/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mls/sepgsql_contexts b/config/appconfig-mls/sepgsql_contexts
new file mode 100644
index 000000000..76ff21cd7
--- /dev/null
+++ b/config/appconfig-mls/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MLS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
new file mode 100644
index 000000000..dc156bfa8
--- /dev/null
+++ b/config/appconfig-mls/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mls_systemhigh
+root:root:s0-mls_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
new file mode 100644
index 000000000..881a292e3
--- /dev/null
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
new file mode 100644
index 000000000..106e093d8
--- /dev/null
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
new file mode 100644
index 000000000..cacbc939f
--- /dev/null
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+
diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context
new file mode 100644
index 000000000..dc37a69bb
--- /dev/null
+++ b/config/appconfig-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 000000000..d387b428b
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 000000000..8ab1e27ea
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/x_contexts b/config/appconfig-mls/x_contexts
new file mode 100644
index 000000000..0b3204435
--- /dev/null
+++ b/config/appconfig-mls/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 000000000..574363b57
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0
diff --git a/config/appconfig-standard/dbus_contexts b/config/appconfig-standard/dbus_contexts
new file mode 100644
index 000000000..116e684f9
--- /dev/null
+++ b/config/appconfig-standard/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
new file mode 100644
index 000000000..64a0a90c3
--- /dev/null
+++ b/config/appconfig-standard/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t	user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t
+system_r:local_login_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:remote_login_t	user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+system_r:sshd_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:sulogin_t	sysadm_r:sysadm_t
+system_r:xdm_t		user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
+staff_r:staff_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t	sysadm_r:sysadm_t staff_r:staff_t
+
+sysadm_r:sysadm_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t	sysadm_r:sysadm_t
+
+user_r:user_su_t	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+user_r:user_sudo_t	sysadm_r:sysadm_t user_r:user_t
diff --git a/config/appconfig-standard/default_type b/config/appconfig-standard/default_type
new file mode 100644
index 000000000..33528d61f
--- /dev/null
+++ b/config/appconfig-standard/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-standard/failsafe_context b/config/appconfig-standard/failsafe_context
new file mode 100644
index 000000000..2f96c9fda
--- /dev/null
+++ b/config/appconfig-standard/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts
new file mode 100644
index 000000000..85a35fb1b
--- /dev/null
+++ b/config/appconfig-standard/guest_u_default_contexts
@@ -0,0 +1,7 @@
+guest_r:guest_t			guest_r:guest_t
+system_r:crond_t		guest_r:guest_t
+system_r:initrc_su_t		guest_r:guest_t
+system_r:local_login_t		guest_r:guest_t
+system_r:remote_login_t		guest_r:guest_t
+system_r:sshd_t			guest_r:guest_t
+
diff --git a/config/appconfig-standard/initrc_context b/config/appconfig-standard/initrc_context
new file mode 100644
index 000000000..7fcf70bdf
--- /dev/null
+++ b/config/appconfig-standard/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/config/appconfig-standard/media b/config/appconfig-standard/media
new file mode 100644
index 000000000..de2a65278
--- /dev/null
+++ b/config/appconfig-standard/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/config/appconfig-standard/removable_context b/config/appconfig-standard/removable_context
new file mode 100644
index 000000000..d4921f03f
--- /dev/null
+++ b/config/appconfig-standard/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
new file mode 100644
index 000000000..f5225686c
--- /dev/null
+++ b/config/appconfig-standard/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t	unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
+system_r:local_login_t  unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+staff_r:staff_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t	unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/securetty_types b/config/appconfig-standard/securetty_types
new file mode 100644
index 000000000..527d8358e
--- /dev/null
+++ b/config/appconfig-standard/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-standard/sepgsql_contexts b/config/appconfig-standard/sepgsql_contexts
new file mode 100644
index 000000000..c72815122
--- /dev/null
+++ b/config/appconfig-standard/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (none-MLS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t
+db_table	*.*.*			system_u:object_r:sepgsql_table_t
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t
+db_language	*.*			system_u:object_r:sepgsql_lang_t
diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers
new file mode 100644
index 000000000..36b193b17
--- /dev/null
+++ b/config/appconfig-standard/seusers
@@ -0,0 +1,3 @@
+system_u:system_u
+root:root
+__default__:user_u
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
new file mode 100644
index 000000000..c2a5ea871
--- /dev/null
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t		staff_r:staff_t sysadm_r:sysadm_t
+system_r:remote_login_t		staff_r:staff_t
+system_r:sshd_t			staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t		staff_r:cronjob_t
+system_r:xdm_t			staff_r:staff_t
+staff_r:staff_su_t		staff_r:staff_t
+staff_r:staff_sudo_t		staff_r:staff_t
+sysadm_r:sysadm_su_t		sysadm_r:sysadm_t 
+sysadm_r:sysadm_sudo_t		sysadm_r:sysadm_t
+
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
new file mode 100644
index 000000000..e340b2199
--- /dev/null
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t		unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
+system_r:initrc_t		unconfined_r:unconfined_t
+system_r:local_login_t		unconfined_r:unconfined_t
+system_r:remote_login_t		unconfined_r:unconfined_t
+system_r:rshd_t			unconfined_r:unconfined_t
+system_r:sshd_t			unconfined_r:unconfined_t
+system_r:sysadm_su_t		unconfined_r:unconfined_t
+system_r:unconfined_t		unconfined_r:unconfined_t
+system_r:xdm_t			unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
new file mode 100644
index 000000000..f5bfac34a
--- /dev/null
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t		user_r:user_t
+system_r:remote_login_t		user_r:user_t
+system_r:sshd_t			user_r:user_t
+system_r:crond_t		user_r:cronjob_t
+system_r:xdm_t			user_r:user_t
+user_r:user_su_t		user_r:user_t
+user_r:user_sudo_t		user_r:user_t
+
diff --git a/config/appconfig-standard/userhelper_context b/config/appconfig-standard/userhelper_context
new file mode 100644
index 000000000..081e93b43
--- /dev/null
+++ b/config/appconfig-standard/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
new file mode 100644
index 000000000..c049e104b
--- /dev/null
+++ b/config/appconfig-standard/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t
diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
new file mode 100644
index 000000000..fca6046d5
--- /dev/null
+++ b/config/appconfig-standard/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t
+system_u:object_r:virt_content_t
diff --git a/config/appconfig-standard/x_contexts b/config/appconfig-standard/x_contexts
new file mode 100644
index 000000000..5b752f859
--- /dev/null
+++ b/config/appconfig-standard/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t
+event X11:KeyRelease			system_u:object_r:input_xevent_t
+event X11:ButtonPress			system_u:object_r:input_xevent_t
+event X11:ButtonRelease			system_u:object_r:input_xevent_t
+event X11:MotionNotify			system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t
+event X11:SelectionNotify		system_u:object_r:client_xevent_t
+event X11:UnmapNotify			system_u:object_r:client_xevent_t
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t
+
+# Default fallback type
+event *					system_u:object_r:xevent_t
diff --git a/config/appconfig-standard/xguest_u_default_contexts b/config/appconfig-standard/xguest_u_default_contexts
new file mode 100644
index 000000000..55d44d1b7
--- /dev/null
+++ b/config/appconfig-standard/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t	xguest_r:xguest_t
+system_r:initrc_su_t	xguest_r:xguest_t
+system_r:local_login_t	xguest_r:xguest_t
+system_r:remote_login_t	xguest_r:xguest_t
+system_r:sshd_t		xguest_r:xguest_t
+system_r:xdm_t		xguest_r:xguest_t
+xguest_r:xguest_t	xguest_r:xguest_t
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
new file mode 100644
index 000000000..32b87a4fd
--- /dev/null
+++ b/config/file_contexts.subs_dist
@@ -0,0 +1,7 @@
+/lib32 /lib
+/lib64 /lib
+/run /var/run
+/run/lock /var/lock
+/usr/lib32 /usr/lib
+/usr/lib64 /usr/lib
+/var/run/lock /var/lock
diff --git a/config/local.users b/config/local.users
new file mode 100644
index 000000000..7e2bf7aa4
--- /dev/null
+++ b/config/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity.  The syntax of a user declaration is:
+#
+# 	user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if 
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r };
+
+# sample for regular user
+#user jdoe roles { user_r };
author	Sven Vermeulen <sven.vermeulen@siphos.be>	2012-04-21 20:07:46 +0200
committer	Sven Vermeulen <sven.vermeulen@siphos.be>	2012-04-21 20:07:46 +0200
commit	3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch)
tree	cae07463edd5b609a97513e00d63e1bd410cc8bb /config
parent	Initial commit (diff)
download	hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip